On 01/03/2009 11:33 PM, Nelson B Bolyard:
Additionally all steps of the subscribers are always logged (yes, every
click of it) and we have records about every validation and about which
email address was used for it, failed attempts etc. With those records
could we re-validate all certificates very quickly.
Do your records include the email addresses that were actually used by
your servers in the course of validation?
Yes. That was also the reason why we could pinpoint the attempt as
fraudulent within almost seconds...as such, we wouldn't prevent Verisign
from getting a cert from us and/or test our systems if the request is
legitimate.
Can you search those records to see if any other certs were ever issued
after using an email address that was "a different email address than the
validations wizard actually provided" ?
Yes.
I think a check of that magnitude is an appropriate response to this event.
This is exactly what we did.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
