On Fri, 9 Jun 2023 05:42:22 -0700 (PDT) "John Han (hanyuwei70)" <[email protected]> wrote:
> Here is the story. > https://github.com/acmesh-official/acme.sh/issues/4659 > > Seems like they exploited acme.sh and let user to evade certificate > issuing procedure. > > Do we need to discuss this? The party in question (HiCA/QuantumCA) is not a certificate authority, and I don't see any evidence that the actual CAs in question evaded any validation requirements. HiCA/QuantumCA is just acting as an intermediary between subscribers and the issuance APIs operated by actual CAs[1]. Literally anyone can do this and do monumentally stupid/insecure things; it's not productive to have a discussion every time this happens. Regards, Andrew [1] It's true they have a reseller relationship with ssl.com, who are operating a white-label intermediate CA with "QuantumCA" in the subject, but HiCA/QuantnumCA are also fronting other CAs, including GTS, which doesn't require a reseller agreement to access their free ACME API, so I don't see that aspect as being productive to discuss either. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20230609090430.3a4e8396e6e0b856fc81c6ab%40andrewayer.name.
