Hi Peter, I generally agree with your list of statements, but #7 is imprecise:
On Sun, 5 Mar 2017 22:06:31 -0800 Peter Bowen <[email protected]> wrote: > 7) The only entity that knows if a certificate for their domain was > not supposed to be issued is entity who was the domain registrant at > the time of issuance. To be more precise, the only entity that knows if a certificate for their domain *did not undergo proper domain validation* is the entity who was the domain registrant at the time of issuance[1]. Many other types of misissuances can be detected by anyone, such as SHA-1, encoding errors, illegal characters in dnsName SANs, overly-long validity, etc. Regards, Andrew [1] technically, at the time the CA is required to check, but that's beside the point _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
