Much has been written about this issue of late; most of the focus has been
on Let's Encrypt, but they are not the only CA issuing certificates to
phishing sites, though because of the scale Let's Encrypt operates at, they
issue the most, and thus take most of the heat.
One of the better articles
> However, I don't believe "technically correct, but intentionally
misleading" information should be included in certificates. The question
is how best to accomplish that.
How would you determine what's misleading, and what isn't? As mentioned,
the Stripe, Inc of Kentucky could present an image
> > > Even if it is, someone filed the paperwork. Court houses have clerks,
> > > guards, video cameras, etc... It still may present a real physical
> > > from which to bootstrap an investigation.
> > Court houses also have online systems. I think if you read both Ian and
You linked to a thread in m.d.s.p and cited it as confirming a specific
interpretation of 7.1 - as that's a long thread (with some possible
questionable information), could you possibly share what criteria you used to
determine what certificates were impacted by this issue and which
(Apologies in advance if I've missed something that led to these results. These
results rely on the crt.sh database, which I will admit to being less familiar
with than I would like.)
While recently looking at some randomly selected recent certificates from this
> Lastly, it was identified\discussed since we were STARTING with 64bits it was
> acceptable. Therefore, GoDaddy was in compliance prior to 3/7. After this
> discussion we changed back to the pre 3/7 configuration on 3/13.
Thanks for the additional explanation, greatly appreciated.
Mail list logo