Very interesting. This is exactly the sort of thing I'm concerned about with respect to Let's Encrypt and ACME.
I would think that all CA's should issue some sort of statement regarding the security testing of any similar, Internet-facing API interface they might be using. I would actually like to see a statement regarding any interface, including browser-based, but one step at a time. Let's at least know that all the other interfaces undergo regular security scans--or when a CA might start doing them. Anyone proposing updates in CABF? Original Message From: Rob Stradling Sent: Thursday, June 30, 2016 10:31 AM To: mozilla-dev-security-pol...@lists.mozilla.org; 'Eddy Nigg (StartCom Ltd.)' Subject: StartEncrypt considered harmful today https://www.computest.nl/blog/startencrypt-considered-harmful-today/ Eddy, is this report correct? Are you planning to post a public incident report? Thanks. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy