> Yep, but there must have been an API (at some level) for generating or > processing the QuickInvite URL. That was what I was suggesting might > have been the issue.
So, it's hard for me to answer this question because I didn't see any POC, but 1) it's not physically possible for private keys to be revealed in the interface as described to me and in which I've spent the last few days completely submerged, and 2) there's still the validation process which isn't simply bypassed with this URL. I have to be cautious here in a couple of my answers, and I hope you appreciate why: as soon as I found out Symantec wasn't affected any more by this reseller, I found out who was. I have to responsibly disclose that information first and get a confirmation from them. I've already notified everyone I had contact info for there, and I'll stay on them. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy