On Wed, Feb 22, 2017 at 10:00:45PM -0500, George Macon via dev-security-policy wrote: > On 2/22/17 7:30 PM, Gervase Markham wrote: > > On Hacker News, Josh Aas writes: > > Update: Squarespace has confirmed that they did register the domain and > > then released it after getting a certificate from us." > > In this case, should Squarespace have requested that the certificate be > revoked before releasing the domain?
No. > Is there a way to automatically detect that the domain was released? (I > suspect the answer to this question is "not easily".) There have been feeds provided in the past (they may still exist, but I haven't needed to look for them for some years) for registered domains, I don't know if something exists for expiration, but it certainly seems like it, given the speed with which squatters appear able to pick up expired domains. > Would it make sense to prohibit certificate issuance during the grace > period? No. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy