[cabfpub] Non-whitelisted email addresses used for DV issuing
sleevi at google.com
Mon Mar 30 08:04:08 MST 2015
OK. So we can conclude CERT has reached a different conclusion than
browsers and CAs.
I don't believe CERT's reply is at all consistent with other validation
methods - that is, it would seem they have decided to take issue with DV in
general, as compared to other validation methods. That is certainly their
prerogative, but not a conclusion I share at all.
At least it would be more helpful for them to list their perceived
vulnerability as accepting email validation at all, rather than conflating
the issue with non-whitelisted addresses.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public