[cabfpub] Domain validation

Anoosh Saboori ansaboor at microsoft.com
Thu Apr 16 16:27:02 UTC 2015

Not if the SSL certificate is bound to hardware (like TPM).

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Thursday, April 16, 2015 9:16 AM
To: Anoosh Saboori; Eddy Nigg; public at cabforum.org
Subject: Re: [cabfpub] Domain validation

On 16/04/15 17:07, Anoosh Saboori wrote:
> I agree. It takes me back to my original comment: #6 (storing a random 
> value under a well-known folder) is not at par with other methods 
> outlined in this section.

If some attacker is capable of placing arbitrary content in the .well-known/ folder on a webserver, it's highly likely they are capable of stealing the existing SSL certificate, which resides on the same filesystem and has to be webserver-readable. They have no need to get a new one issued to them. They would also be capable of replacing other content on the website, or telling the webserver to redirect everyone to the attacker's site.

Given that, I think that there is no additional risk of doing certificate issuance based on this method.


More information about the Public mailing list