[cabfpub] Domain validation
ansaboor at microsoft.com
Thu Apr 16 09:27:02 MST 2015
Not if the SSL certificate is bound to hardware (like TPM).
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Thursday, April 16, 2015 9:16 AM
To: Anoosh Saboori; Eddy Nigg; public at cabforum.org
Subject: Re: [cabfpub] Domain validation
On 16/04/15 17:07, Anoosh Saboori wrote:
> I agree. It takes me back to my original comment: #6 (storing a random
> value under a well-known folder) is not at par with other methods
> outlined in this section.
If some attacker is capable of placing arbitrary content in the .well-known/ folder on a webserver, it's highly likely they are capable of stealing the existing SSL certificate, which resides on the same filesystem and has to be webserver-readable. They have no need to get a new one issued to them. They would also be capable of replacing other content on the website, or telling the webserver to redirect everyone to the attacker's site.
Given that, I think that there is no additional risk of doing certificate issuance based on this method.
More information about the Public