I thought Wosign's report is not very convincible. The bug of subdomain have existed for a long time and it made me feel it is a feature not a bug. It's not a secret among the admin of personal or small sites. I am not very similar to CA stuff that time,just a subscriber of Wosign's free certificates.I have also signed subdomain certificate without validating root domain control. But I controlled both of them so I didn't think it is very serve problem.
So I think it is very important to audit how many certificates mis-issued by Wosign. Because this bug is used widely when I am running websites for Wosign provide FREE 3 year multi-domain certificates that time. ( We dont have Let's encrypt that time and Startcom just issue single domain.) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
