By and large I'd say that Matt's no's should instead be yes's. If we adopt the standpoint that releasing a domain is equivalent to saying "I no longer use that name" then a revocation is equivalent to adding "...and anyone who does use that name must surely be an imposter."
In other words, we should give relying parties every opportunity to determine legitimate-or-fraud to the greatest extent possible. Granted the real world is not quite so simple but I think that's (part of?) the spirit of what we're here to do. Original Message From: Matt Palmer via dev-security-policy Sent: Wednesday, February 22, 2017 10:32 PM To: dev-security-policy@lists.mozilla.org Reply To: Matt Palmer Subject: Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist On Wed, Feb 22, 2017 at 10:00:45PM -0500, George Macon via dev-security-policy wrote: > On 2/22/17 7:30 PM, Gervase Markham wrote: > > On Hacker News, Josh Aas writes: > > Update: Squarespace has confirmed that they did register the domain and > > then released it after getting a certificate from us." > > In this case, should Squarespace have requested that the certificate be > revoked before releasing the domain? No. > Is there a way to automatically detect that the domain was released? (I > suspect the answer to this question is "not easily".) There have been feeds provided in the past (they may still exist, but I haven't needed to look for them for some years) for registered domains, I don't know if something exists for expiration, but it certainly seems like it, given the speed with which squatters appear able to pick up expired domains. > Would it make sense to prohibit certificate issuance during the grace > period? No. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy