<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 03/30/2015 05:55 PM, Adriano Santoni
- Actalis S.p.A. wrote:<br>
</div>
<blockquote cite="mid:551963CC.50303@staff.aruba.it" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<font face="Calibri">I do not agree with our company being listed
as "affected", as our CPS does not allow non-whitelist email
addresses. However, Will's rationale is that - regardless of the
BRs - domain validation by email is a security problem in
itself, even when only whitelisted email addresses are used:</font><br>
</blockquote>
<br>
But for this we have EV (and even IV/OV validations to some extend).
It's obviously and clearly known that domain control validations
have their limits, on the other hand are also very useful for the
right purpose (where the right purpose is probably an open question
depending on the CA, browser, subscriber and relying party).<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>