I think you're right that this would work for many (most? all?) CAs that do email-based domain ownership validation.
I was surprised to find he's right -- if you ask for a cert for foobar.example.com, typical CAs will let you validate via any of the WHOIS contacts for example.com or else [email protected].
That makes sense under the assumption that mail to that address is no less secure than mail to [email protected]. This is still a fairly exotic threat, since it still requires some fairly good DNS or route hijacking against the CA.
Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
