On Fri, Jan 12, 2018 at 02:52:54PM +0000, Doug Beattie via dev-security-policy wrote: > I’d like to follow up on our investigation and provide the community with > some more information about how we use Method 9. > > 1) Client requests a test certificate for a domain (only one FQDN)
Does this test certificate chain to a publicly-trusted root? If so, on what basis are you issuing a publicly-trusted certificate for a name which doesn't appear to have been domain-control validated? If not, doesn't this test certificate break the customer's SSL validation for the period the certificate is installed, while you do the validation? - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
