On Thursday, March 7, 2019 at 12:30:03 PM UTC-5, James Burton wrote: > I'm talking about someone from a restricted country using a undocumented > domain name to obtain a Let's Encrypt certificate and there is nothing that > can be done about it.
Until they get caught and their certificates revoked (with the corresponding service disruption) as indicated in https://community.letsencrypt.org/t/according-to-mcclatchydc-com-lets-encrypt-revoqued-and-banned-usareally-com/81517/10?u=hablutzel1: > When it is brought to our attention that we are serving an entity on the SDN > list, and if we can confirm the report, we will respond by revoking > outstanding certs and banning future issuance to the entity. > >... > >This happens to maybe one domain per month, to give you some idea of the >frequency. So in the best case scenario they could keep getting free LE certificates at the expense of the quality of the service they provide, e.g. because of the need to renew domains constantly. > We can't predict the future. > > Thank you, > > Burton > > On Thu, Mar 7, 2019 at 5:23 PM Matthew Hardeman <mharde...@gmail.com> wrote: > > > > > On Thu, Mar 7, 2019 at 11:11 AM James Burton <j...@0.me.uk> wrote: > > > >> Let's be realistic, anyone can obtain a domain validated certificate from > >> Let's Encrypt and there is nothing really we can do to prevent this from > >> happening. Methods exist. > >> > > > > I am continuing to engage in this tangent only in as far as it illustrates > > the kinds of geopolitical issues that already taint this space and in as > > much as that, I believe has some relevance for the larger conversation. > > Now that I've said that, please, by all means, if I'm wrong about the > > referenced assertion that I've posted, reach out to the usareally.com > > people and help them get a Let's Encrypt certificate. Good luck with that. > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
