Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Ryan Sleevi via dev-security-policy
On Mon, Jan 15, 2018 at 4:54 PM, Eric Mill wrote: > I can only go on what's on the public list, but if it is as it appears and > GS proactively researched their offering, identified a similar weakness via > a separate BR method, and voluntarily turned off their implementation

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Ryan Sleevi via dev-security-policy
On Mon, Jan 15, 2018 at 4:40 PM, Doug Beattie wrote: > > > > > *From:* Ryan Sleevi [mailto:r...@sleevi.com] > *Sent:* Monday, January 15, 2018 4:14 PM > *To:* Doug Beattie > *Cc:* r...@sleevi.com;

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Eric Mill via dev-security-policy
On Mon, Jan 15, 2018 at 4:22 PM, Ryan Sleevi wrote: > > > On Mon, Jan 15, 2018 at 4:11 PM, Eric Mill via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> That said, GlobalSign's offer to cut certificate lifetimes down to X >> months >> during the

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Doug Beattie via dev-security-policy
From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Monday, January 15, 2018 4:14 PM To: Doug Beattie Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham ; Wayne Thayer Subject: Re: Possible Issue

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Ryan Sleevi via dev-security-policy
On Mon, Jan 15, 2018 at 4:11 PM, Eric Mill via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > That said, GlobalSign's offer to cut certificate lifetimes down to X months > during the short-term, and to make sure OneClick is disabled within Y > months from now, seems like a

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Ryan Sleevi via dev-security-policy
On Mon, Jan 15, 2018 at 3:36 PM, Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Ryan, > > I’m not sure where we go from here. As suggested, we encourage you to work on devising technical mitigations or alternative methods of validating such certificates

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Eric Mill via dev-security-policy
On Mon, Jan 15, 2018 at 2:30 PM, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Mon, Jan 15, 2018 at 1:18 PM, Doug Beattie > > wrote: > > > > > - The potential risk in maintaining this whitelist, given both the > >

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Doug Beattie via dev-security-policy
> -Original Message- > From: Nick Lamb [mailto:n...@tlrmx.org] > Sent: Monday, January 15, 2018 2:39 PM > > > - Total number of active OneClick customers: < 10 > > What constitutes a OneClick customer in this sense? These are web hosting companies that receive certificates for

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Doug Beattie via dev-security-policy
Ryan, I’m not sure where we go from here. We have customers that need certificates and they have demonstrated they can comply with not permitting the creation and use of certificates for domains other than those that the hosting company is hosting for that customer. All certificates will

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Nick Lamb via dev-security-policy
On Mon, 15 Jan 2018 18:18:10 + Doug Beattie via dev-security-policy wrote: > - Total number of active OneClick customers: < 10 What constitutes a OneClick customer in this sense? The focus of concern for tls-sni-01 was service providers who

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Ryan Sleevi via dev-security-policy
On Mon, Jan 15, 2018 at 1:18 PM, Doug Beattie wrote: > > > > > *From:* Ryan Sleevi [mailto:r...@sleevi.com] > *Sent:* Friday, January 12, 2018 5:53 PM > *To:* Doug Beattie > *Cc:* Wayne Thayer ; Gervase Markham < >

RE: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Doug Beattie via dev-security-policy
From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Friday, January 12, 2018 5:53 PM To: Doug Beattie Cc: Wayne Thayer ; Gervase Markham ; r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Possible Issue

Re: Possible Issue with Domain Validation Method 9 in a shared hosting environment

2018-01-15 Thread Ryan Hurst via dev-security-policy
Sleevi, Valid point, no intention to confuse, I have no current affiliation with GlobalSign, though I once did. The documentation that described the protocol seems to no longer be online, the behavior is observable and has been discussed in the validation working group within the CABFORUM so it

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

2018-01-15 Thread Gervase Markham via dev-security-policy
On 14/01/18 21:32, jacob.hoffmanandr...@gmail.com wrote: > We discussed a similar approach (using CAA) on our community forum, > and concluded we don't want to pursue it at this time: > https://community.letsencrypt.org/t/tls-sni-via-caa/50172. The TXT > record would probably work more widely than