> -----Original Message----- > From: Nick Lamb [mailto:n...@tlrmx.org] > Sent: Monday, January 15, 2018 2:39 PM > > > - Total number of active OneClick customers: < 10 > > What constitutes a OneClick customer in this sense?
These are web hosting companies that receive certificates for their users. We used to focus this on cPanel and similar control panels, but have largely moved away from them. These are customers that want an automated method to issue certificates and where HTTP and DNS methods are not suitable, or where they haven't wanted to re-work their APIs to use them. We believe all of these customers can be migrated over to HTTP or DNS methods (there are basically no other automated options if both 9 and 10 have security vulnerabilities). Each customer has an account with us so we know where the requests are coming from. > The focus of concern for tls-sni-01 was service providers who present an > HTTPS endpoint for many independent entities, most commonly a bulk web > host or a CDN. These function as essentially a "Confused Deputy" in the > discovered attack on tls-sni-01. For those providers there would undoubtedly > be a temptation to pretend all is well (to keep things > working) even if in fact they aren't able to defeat this attack or some > trivial > mutation of it, and that's coloured Let's Encrypt's response, because there's > just no way to realistically police whitelisting of thousands or tens of > thousands of such service providers. > From the volumes versus numbers of customers, it seems as though OneClick > must be targeting the same type of service providers, is that right? Yes. > The small number of such customers suggests that, unlike Let's Encrypt, it > could be possible for GlobalSign to diligently affirm that each of the > customers > has technical countermeasures in place to protect their clients from each > other. Yes, for those customers that want to continue with this method, we would confirm they meet the criteria. > In my opinion such an approach ought to be adequate to continue using > OneClick in the short term, say for 12-18 months with the understanding that > this validation method will either be replaced by something less problematic > or > the OneClick service will go away in that time. We can do with an even shorter period - 6 months should be sufficient. Thanks for the support! > But of course I do not speak for Google, Mozilla or any major trust store. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy