Nelson B Bolyard wrote:
Luckily, Michael also stated that most CA’s rejected his requests. But it only takes one CA to spoil the party.Thorsten Becker wrote:Nelson Bolyard wrote:On the other hand, it is possible that the domain validation was performed but that it was deceived through the use of DNS attacks. In his slides on the subject of DNS attacks, Dan Kaminsky did say that it was possible to deceive domain validation through DNS attacks.I think domain validation could be deceived using DNS attacks, but in this case this was apparently not necessary:http://www.networkworld.com/community/node/30822 "Michael started his talk by detailing how he was able to purchase a certificate from a major CA with a FQDN of an existing fortune 500 company’s website! How you ask is this possible, well when filling out the request form he simply checked the box that stated that the certificate was not going to be used on the internet and was for internal testing only."I'll be convinced when I see the cert and/or see the web site's enrollment page with that feature. There's one CA that can kiss it's place in the root list good-bye.
The 'feature' check box may not be sufficient. CA's may allow the checkbox for domains you control. The cert on the other hand...
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
