Doug, I have some questions:
> > c. The hosting company must allow you to manually create and upload > a CSR for a site you don’t own > > Did you mean to say 'certificate' here instead of 'CSR'? d. The user must be able to trick the hosting provider to enable SNI > for this domain and link it to the certificate they uploaded > > Is 'trick' the right term here? Isn't this just a default configuration for vulnerable hosting providers? While the vulnerabilities and risks are different between ACME TLS-SNI-01 > and OneClick, Can you explain this statement? My impression is that the same vulnerability affects both methods. we’d like to propose a risk mitigation approach similar to Let’s Encrypt > with the use of a whitelist. We’ll verify that certain providers have > secure practices in place to prevent users from requesting certificates > outside of their permitted domains and then whitelist them. > > Let's Encrypt has stated that this is a short- to medium-term mitigation. Is your plan to continue to use this method indefinitely? Or are you ultimately planning to fix or deprecate the method? If this is acceptable, we’d like to resume issuance today if possible. > > If my understanding of the 3.2.2.4.9 vulnerability being essentially the same as the 3.2.2.4.10 vulnerability, then this seems reasonable to me, at least in the short term. Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy