This is an extremely good point. I wonder: 1. If Mozilla should ask/require CAs to perform this check. 2. If Mozilla should ask/require CAs to invest in the capability to make this check for future requests in the future (where we would require responses within a certain time period.)
-tom On 14 December 2017 at 22:16, Matthew Hardeman via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > Has anyone started looking into CA issuances -- or even more importantly -- > CA domain validations performed successfully and yet without issuing a > certificate (say, wanting to cache the validation) for the brief periods in > which much of the internet saw alternative target destinations for a great > deal of high value organization IP space? > > For those CAs with workflows which allow for expressly requesting a domain > validation but not necessarily requiring that it be immediately utilized > (say, for example LetsEncrypt or another CA running ACME protocol or similar) > it might be of interest to review the validations performed successfully > during those time windows. > > Additionally, it may be of value for various CAs to check their issuances > upon domain validation for those periods. > > You can find the time periods and details about some of the IP space hijacked > at bgpmon.net > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy