Hacker News new | ask | show | jobs
by Animats 3747 days ago
Right now, StartSSL needs to do a quick search on their database to see which certs had email sent to a domain other than the one for which the cert applies. All such certs should be revoked immediately, and the owners of the domains involved notified of the breach.

Also, did they check properly for TLD and subdomain issues? If I have "me.blogspot.com", can I get a cert for "blogspot.com"? (What's a TLD today? It's complicated. See "https://publicsuffix.org/")
1 comments
kevincox 3747 days ago
StartSSL only allows validation for top level domains. So you can't get a cert for me.blogspot.com unless you own blogspot.com.
link
kiallmacinnes 3746 days ago
I think you entirely missed his point.

What about blogspot.co.uk? Do you need to own that, or co.uk to get a cert?

What counts as a "top level domain" is, as Animats said, complicated.

link
kevincox 3746 days ago
Oh ok. I can't attest to how this is handled because I have never attempted to get a cert for a domain like this.
link