On Saturday, November 5, 2016 at 2:54:05 PM UTC-7, Itzhak Daniel wrote: > (to my understanding) They did violate a "SHALL" guideline: > > "The CA SHALL develop, maintain, and implement documented procedures that > identify and require additional verification activity for High Risk > Certificate > Requests prior to the Certificate’s approval, as reasonably necessary to > ensure > that such requests are properly verified under these Requirements." > > I don't recall if they automatically approved or manually approved it by > mistake (the operator wasn't familiar with Alibaba). > > alicdn.com is ranked 760 in Alexa top 1 million, and requests for this domain > should be considered "high risk": > > CMD$ wget http://s3.amazonaws.com/alexa-static/top-1m.csv.zip;gzip -cd > top-1m.csv.zip|grep alicdn.com
Can you tell me where that clause indicates that they should use the Alexa Top 1 million to consider a request "High Risk"? This is a known, and well understood, issue with the clause - it is perfectly acceptable from the BRs, and therefore, at present, the Mozilla policy, to state that "We consider any requests for the domain example.com as 'High Risk', and all other domains shall not be considered as such" What's required is they have a policy, and document the policy, and follow the policy. That's it. Is that ideal? No. But is that what it says? Absolutely. CAs and Browsers have been discussing this nuance for several years now, but certainly, at the time it happened, and to this present day, it means the above. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy