On Thu, Feb 23, 2017 at 01:08:49AM +0000, Richard Wang via dev-security-policy wrote: > I think "apple-id-2.com" is a high risk domain that must be blocked to issue > DV SSL to those domains.
Why? > Here is the list of some high risk domains related to Microsoft and Google > that Let's Encrypt issued DV SSL certificates to those domains: > https://crt.sh/?id=77034583 for microsoftonline.us.com, a fake Office 365 > login site > https://crt.sh/?id=71789336 for mail.google-androids.ru > https://crt.sh/?id=82075006 for marketgoogle.xyz > https://crt.sh/?id=65208905 for google.ligboy.org ... and? Issuance of a certificate (even EV) doesn't imply endorsement or an attestation of anything other than "something has been done to verify identity". It is a means of providing *communication security* only, attempts by the marketing departments of certain CAs to fradulently imply otherwise notwithstanding. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
