> For comparison of "What could be worse", you could imagine a CA using the > .10 method to assert the Random Value (which, unlike .7, is not bounded in its > validity) is expressed via the serial number. In this case, a CA could validate a > request and issue a certificate. Then, every 3 years (or 2 years starting later this > year), connect to the host, see that it's serving their previously issued > certificate, assert that the "Serial Number" constitutes the Random Value, and > perform no other authorization checks beyond that. In a sense, fully removing > any reasonable assertion that the domain holder has authorized (by proof of > acceptance) the issuance.
My "Freshness Value" ballot should fix this, by requiring that Freshness Values actually be fresh. -Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
