Eddy Nigg wrote, On 2009-01-03 13:38: > On 01/03/2009 11:33 PM, Nelson B Bolyard: >>> Additionally all steps of the subscribers are always logged (yes, every >>> click of it) and we have records about every validation and about which >>> email address was used for it, failed attempts etc. With those records >>> could we re-validate all certificates very quickly. > >> Do your records include the email addresses that were actually used by >> your servers in the course of validation? > > Yes. That was also the reason why we could pinpoint the attempt as > fraudulent within almost seconds...as such, we wouldn't prevent Verisign > from getting a cert from us and/or test our systems if the request is > legitimate. > >> Can you search those records to see if any other certs were ever issued >> after using an email address that was "a different email address than the >> validations wizard actually provided" ? > > Yes. > >> I think a check of that magnitude is an appropriate response to this event. > > This is exactly what we did.
That's good to read, Eddy. I had not understood that from your previous messages on this subject. Thank you for clearing that up for me. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
