This list hosted an extensive discussion on this issue in May of 2016, subject line "SSL Certs for Malicious Websites":
https://groups.google.com/d/topic/mozilla.dev.security.polic y/vMrncPi3tx8/discussion Most (all?) of the people on this thread participated on that one, and said most (all?) of these things. It's probably not worth rehashing it in a new thread that started on a different topic (misissuance to a non-existing domain) that is now resolved. -- Eric On Thu, Feb 23, 2017 at 6:29 PM, Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Feb 23, 2017 at 03:55:43AM +0000, Richard Wang via > dev-security-policy wrote: > > If "apple", "google", "Microsoft" is not a high risk domain, then I > don’t know which domain is high risk domain, maybe only "github". > > That's kinda the problem: you don't know, and neither does anyone else, > because there's no agreed-upon definition or policy for what constitutes a > "high risk domain". > > - Matt > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy