On 04/01/2010 10:35 AM, ssladministra...@portugalmail.pt:
Kurt Seifried here:
So I picked a webmail provider at random (sorry portugalmail.pt!) and
filled in the account form, taking ssladministrator as the email
name. Using this I was then able to buy a secure web certificate for
portugalmail.pt since the verification process is so weak. Here are
the five emails I received from RapidSSL, the only things I have
removed is my phone number and the last four digits of the credit
card, as you can see the process isn't that hard.
Is this another 1st of April joke? At least your timing is a bit
questionable ;-)
Oh, and this fantastic news lines up nicely with your other thread "how
to report stolen/compromised certificate?" at
the mozilla.dev.security.policy mailing list. The irony that you can
request to have your certificate revoked, but the owner of the domain
portugalmail.pt can not.
I suggest to add another item to the Mozilla CA Policies that:
A) CAs are required to accept revocation requests by third parties and
investigate any request
B) CAs are required to revoked certificates upon key comprise and
wrongful issuance
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
