<div dir="ltr">Reposting for Peter<br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 31, 2015 at 11:08 AM, Peter Bowen <span dir="ltr"><<a href="mailto:pzbowen@gmail.com" target="_blank">pzbowen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, Mar 31, 2015 at 9:10 AM, Rick Andrews <<a href="mailto:Rick_Andrews@symantec.com">Rick_Andrews@symantec.com</a>> wrote:<br>
> Posted with permission from Will from CERT:<br>
</span>> [...]<br>
> <<a href="https://aws.amazon.com/blogs/aws/domain-verification-for-the-amazon-simple-email-service/" target="_blank">https://aws.amazon.com/blogs/aws/domain-verification-for-the-amazon-simple-email-service/</a>><br>
<span class="">> We suspect that Google, IBM, Microsoft, Amazon, and Zoho have thought about the security impacts of accepting insufficient proof of domain ownership.  We recommend that the CA/Browser Baseline Requirements be updated to remove the "whitelist" of predefined email aliases.<br>
<br>
</span>I work for Amazon, AWS in particular, and this statement does not<br>
accurately represent how SES works.  We do support email validation<br>
(<a href="http://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses.html" target="_blank">http://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses.html</a>)<br>
and DNS validation.  Additionally there are different considerations<br>
for email and certificates.<br>
<br>
I can assure that AWS does not agree with CERT's summary that email in<br>
insufficient for domain verification for certificate issuance.<br>
<br>
Thanks,<br>
Peter<br>
</blockquote></div><br></div></div>