Ian G schreef: > OK, so it's good to figure out all the facts before we jump to conclusions. How do you mean?
> Why does the client want this certificate? What is the use case here? This client uses .int for an internal domain, but this does not changes the case. The certificate should not be issued because the domain has not been registered and could still be registered by some else. > Does the domain exist "for him" and we just can't see it (I'm thinking > some internal non-public internet sense here) ? It's used on a intranet, but this will not say this is a valid certificate. You can't validate domain ownership if a domain has not been registered! > Or is this an "embarrassment exercise" ? Believe me it's not! _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security