[cabfpub] Non-whitelisted email addresses used for DV issuing
sleevi at google.com
Tue Mar 31 11:10:14 MST 2015
Reposting for Peter
On Tue, Mar 31, 2015 at 11:08 AM, Peter Bowen <pzbowen at gmail.com> wrote:
> On Tue, Mar 31, 2015 at 9:10 AM, Rick Andrews <Rick_Andrews at symantec.com>
> > Posted with permission from Will from CERT:
> > [...]
> > <
> > We suspect that Google, IBM, Microsoft, Amazon, and Zoho have thought
> about the security impacts of accepting insufficient proof of domain
> ownership. We recommend that the CA/Browser Baseline Requirements be
> updated to remove the "whitelist" of predefined email aliases.
> I work for Amazon, AWS in particular, and this statement does not
> accurately represent how SES works. We do support email validation
> and DNS validation. Additionally there are different considerations
> for email and certificates.
> I can assure that AWS does not agree with CERT's summary that email in
> insufficient for domain verification for certificate issuance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public