Eddy Nigg wrote, On 2009-01-02 22:18: > [...] The flaw was, that insufficient verification of the response at > the server side was performed, allowing him to validate the domain by > using a different email address than the validations wizard actually > provided. [...] > > Additionally all steps of the subscribers are always logged (yes, every > click of it) and we have records about every validation and about which > email address was used for it, failed attempts etc. With those records > could we re-validate all certificates very quickly.
Do your records include the email addresses that were actually used by your servers in the course of validation? Can you search those records to see if any other certs were ever issued after using an email address that was "a different email address than the validations wizard actually provided" ? I think a check of that magnitude is an appropriate response to this event. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
