On 17/09/2016 16:30, Florian Weimer wrote:
* Nick Lamb:
On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote:
does dns hijacking or dns cache poisoning count as mitm?
A careful CA validator does DNS only by making authoritative queries,
so they're not subject to cache poisoning since
* Nick Lamb:
> On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote:
>> does dns hijacking or dns cache poisoning count as mitm?
>
> A careful CA validator does DNS only by making authoritative queries,
> so they're not subject to cache poisoning since they don't look at
> cached answers.
I'm
On 13/09/2016 11:50, Gervase Markham wrote:
On 12/09/16 19:02, Jakob Bohm wrote:
Wouldn't this fall under the general auditable requirement of being
careful in their practices and procedures.
Ask an auditor, and they will tell you that "be careful" is not an
auditable requirement.
I know
On 12/09/2016 09:42, Gervase Markham wrote:
On 11/09/16 23:42, Lee wrote:
A careful CA validator does DNS only by making authoritative queries, so
they're not subject to cache poisoning since they don't look at cached
answers.
Would a not careful CA be flagged on their yearly audit?
It only
On 10/09/2016 14:45, Gervase Markham wrote:
On 09/09/16 11:53, Jakob Bohm wrote:
As I read the Wiki description of WoSign issue L: Arbitrary High port
validation, the description notes a case of port 8080 validation as an
instance of this.
If the BR and or CP/CPS indeed classify port 8080 as a
On 11/09/16 23:42, Lee wrote:
>> A careful CA validator does DNS only by making authoritative queries, so
>> they're not subject to cache poisoning since they don't look at cached
>> answers.
>
> Would a not careful CA be flagged on their yearly audit?
It only might, if doing non-authoritative
On 9/11/16, Patrick Figel wrote:
> On 11/09/16 22:05, Lee wrote:
>>> In order to spoof a CA's domain validation request, an attacker
>>> would need to be in a position to MitM the connection between the
>>> CA and the targeted domain.
>>
>> does dns hijacking or dns cache
On Sunday, 11 September 2016 23:42:18 UTC+1, Lee wrote:
> Me personally? Not at all. I'm just asking if they _do_ have DNSSEC
> for their domains is there a way to leverage that to get a cert via an
> encrypted channel or at least do the domain validation via an
> encrypted channel instead of
On 9/11/16, Nick Lamb wrote:
> On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote:
>> does dns hijacking or dns cache poisoning count as mitm?
>
> A careful CA validator does DNS only by making authoritative queries, so
> they're not subject to cache poisoning since
On 11/09/16 22:05, Lee wrote:
>> In order to spoof a CA's domain validation request, an attacker
>> would need to be in a position to MitM the connection between the
>> CA and the targeted domain.
>
> does dns hijacking or dns cache poisoning count as mitm?
I was mentioning this in order to
On 9/11/16, Patrick Figel wrote:
> On 10/09/16 22:37, Lee wrote:
>> Right - I figured that out about 30 seconds after reading an email
>> about allowing verification on ports 80 and 443. But you only need
>> to get the initial certificate one time - after that you should be
On 10/09/16 22:37, Lee wrote:
> Right - I figured that out about 30 seconds after reading an email
> about allowing verification on ports 80 and 443. But you only need
> to get the initial certificate one time - after that you should be
> able to renew using port 443 and I didn't see anything
On 9/10/16, Peter Bowen wrote:
> On Sat, Sep 10, 2016 at 9:14 AM, Lee wrote:
>> On 9/10/16, Gervase Markham wrote:
>>> On 09/09/16 11:53, Jakob Bohm wrote:
>>
>> Does Mozilla feel that using 'clear text' protocols to validate
>> domains is
On 9/10/16, Gervase Markham wrote:
> On 09/09/16 11:53, Jakob Bohm wrote:
>> As I read the Wiki description of WoSign issue L: Arbitrary High port
>> validation, the description notes a case of port 8080 validation as an
>> instance of this.
>>
>> If the BR and or CP/CPS indeed
On 09/09/16 11:53, Jakob Bohm wrote:
> As I read the Wiki description of WoSign issue L: Arbitrary High port
> validation, the description notes a case of port 8080 validation as an
> instance of this.
>
> If the BR and or CP/CPS indeed classify port 8080 as a valid web port
> for domain control
15 matches
Mail list logo