On Sunday, November 6, 2016 at 12:11:43 AM UTC+2, Ryan Sleevi wrote: > Can you tell me where that clause indicates that they should use the Alexa > Top 1 million to consider a request "High Risk"?
It doesn't, "High risk" is left for the CA's interpretation. But after the fact you can say that they failed to identify a "High risk" request with their current state of their system and they SHOULD be required to update it (to avoid future requests to pass for the specific domain in question), and they MAY need to make their system more robust to identify other "High risk" requests and not just acting after the fact. Alexa top ~1000 is a good indicator for requests that should be considered as "High risk" [1] [2], especially in a free tier service. Links: 1. https://github.com/certbot/certbot/issues/47#issuecomment-64060616 2. https://community.letsencrypt.org/t/name-is-blacklisted-on-renew/9012/19 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
