Thorsten Becker wrote: > Nelson Bolyard wrote: >> On the other hand, it is possible that the domain validation was performed >> but that it was deceived through the use of DNS attacks. In his slides >> on the subject of DNS attacks, Dan Kaminsky did say that it was possible >> to deceive domain validation through DNS attacks. > > I think domain validation could be deceived using DNS attacks, but in this > case this was apparently not necessary: > > http://www.networkworld.com/community/node/30822 > > "Michael started his talk by detailing how he was able to purchase a > certificate from a major CA with a FQDN of an existing fortune 500 > company’s website! How you ask is this possible, well when filling out the > request form he simply checked the box that stated that the certificate was > not going to be used on the internet and was for internal testing only."
I'll be convinced when I see the cert and/or see the web site's enrollment page with that feature. There's one CA that can kiss it's place in the root list good-bye. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
