Wan-Teh Chang wrote: > On Tue, Aug 19, 2008 at 5:40 PM, Nelson Bolyard > <[EMAIL PROTECTED]> wrote: >> In a Network World column, >> http://www.networkworld.com/community/node/31124 >> the author writes: >> >>> At Black Hat '08 there was a great demonstration of how valid "internal >>> testing only" FQDN certificates for URLs that you don't control can be >>> obtained by anyone asking. > > This means that CA doesn't even do "domain validation", right?
I believe so. I seriously doubt that the presenter of this demo (whoever it was) really controlled the domain for live.com. On the other hand, it is possible that the domain validation was performed but that it was deceived through the use of DNS attacks. In his slides on the subject of DNS attacks, Dan Kaminsky did say that it was possible to deceive domain validation through DNS attacks. See http://www.doxpara.com/DMK_BO2K8.ppt slides 76-79, especially slide 77 Eddy Nigg wrote: > Ask them! Who? I have no information about this beyond what I already posted in this thread. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
