[cabfpub] Non-whitelisted email addresses used for DV issuing

Eddy Nigg eddy_nigg at startcom.org
Mon Mar 30 22:06:03 UTC 2015

On 03/30/2015 05:55 PM, Adriano Santoni - Actalis S.p.A. wrote:
> I do not agree with our company being listed as "affected", as our CPS 
> does not allow non-whitelist email addresses. However, Will's 
> rationale is that - regardless of the BRs - domain validation by email 
> is a security problem in itself, even when only whitelisted email 
> addresses are used:

But for this we have EV (and even IV/OV validations to some extend). 
It's obviously and clearly known that domain control validations have 
their limits, on the other hand are also very useful for the right 
purpose (where the right purpose is probably an open question depending 
on the CA, browser, subscriber and relying party).

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150331/2b7cbeb3/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150331/2b7cbeb3/attachment-0001.p7s>

More information about the Public mailing list