While it may not be misissuance, I don’t know if this provides a significant level of reassurance.
For example, there have been repeated discussions in the CA/B Forum about allowing CAs to be permanently delegated to (e.g. via CNAME). This would make such an issue like this functionally equivalent to compromising validation for those domains, and so benefits from a greater degree of public postmortem and incident response. Even ignoring this, it doesn’t address, for example, whether they allow accounts to reuse cached/past validations, which could have a similar impact today, without changes to the BRs. Given the quality of Netlock’s past incident reports, it seems reasonable to be concerned, and to hope for a full and public transparent incident report that can build confidence that Netlock truly has considered the edge cases, to examine not only how the incident happened, but how it was detected and should have been prevented. If you recall, DigiNotar was arguably exemplary in their network design, which was strongly separated and tightly controlled to limit data flow, and that incident still happened - and DigiNotar failed to adequately detect. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHELyeSNY35yMMOZMDyDyGF4-KJ4g06NvrTh0cmiDDiNPw%40mail.gmail.com.
