Let's be realistic, anyone can obtain a domain validated certificate from Let's Encrypt and there is nothing really we can do to prevent this from happening. Methods exist.
Thank you, Burton On Thu, Mar 7, 2019 at 4:59 PM Matthew Hardeman <[email protected]> wrote: > > On Thu, Mar 7, 2019 at 10:54 AM James Burton <[email protected]> wrote: > >> Let's Encrypt issues domain validation certificates and anyone with a >> suitable domain name (e.g. .com, .net, .org .... ) can get one of these >> certificates just by proving control over the domain by using the DNS or " >> /.well-known/pki-validation" directory as stated in the CAB Forum baseline >> requirements. Country location doesn't matter. >> > > I'm sorry, but that is inaccurate. There are literally banned > subscribers. Let's Encrypt has publicly and officially acknowledged > this[1]. > > [1] > https://community.letsencrypt.org/t/according-to-mcclatchydc-com-lets-encrypt-revoqued-and-banned-usareally-com/81517/10?u=mdhardeman > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
