undefined | Better HN

0 pointsAstralStorm8y ago0 comments

This is true except for the case of extended validation certificates. These should be actually validated as sanctioned by the registering entity and the entity should also be verified.

0 comments

jerf8y ago

Correct; that is what I mean by "low-class SSL certs", but thank you for using the correct term (which escaped my mind at the time). If GitHub got an extended validation cert, we have a real problem on our hands.

pfg8y ago

To be more precise, it would be a problem if GitHub got an Extended Validation certificate with the organization field containing the name of the domain owner rather than GitHub itself.

It would in fact be perfectly fine for a CA to issue an EV certificate containing "GitHub, Inc." and a domain that GitHub does not actually own, but which they control because someone pointed their A or CNAME record to GitHub pages. The Extended Validation Guidelines[1] do not require domain ownership for the organization requesting the certificate, it's enough to control it in a way that allows you to complete one of the blessed validation mechanisms defined in the Baseline Requirements.

[1]: https://cabforum-travis-artifacts.s3-us-west-2.amazonaws.com...

j / k navigate · click thread line to collapse

0 comments

jerf8y ago

pfg8y ago

To be more precise, it would be a problem if GitHub got an Extended Validation certificate with the organization field containing the name of the domain owner rather than GitHub itself.

[1]: https://cabforum-travis-artifacts.s3-us-west-2.amazonaws.com...

j / k navigate · click thread line to collapse