[cabfpub] Non-whitelisted email addresses used for DV issuing
Ryan Sleevi
sleevi at google.com
Tue Mar 31 18:10:14 UTC 2015
Reposting for Peter
On Tue, Mar 31, 2015 at 11:08 AM, Peter Bowen <pzbowen at gmail.com> wrote:
> On Tue, Mar 31, 2015 at 9:10 AM, Rick Andrews <Rick_Andrews at symantec.com>
> wrote:
> > Posted with permission from Will from CERT:
> > [...]
> > <
> https://aws.amazon.com/blogs/aws/domain-verification-for-the-amazon-simple-email-service/
> >
> > We suspect that Google, IBM, Microsoft, Amazon, and Zoho have thought
> about the security impacts of accepting insufficient proof of domain
> ownership. We recommend that the CA/Browser Baseline Requirements be
> updated to remove the "whitelist" of predefined email aliases.
>
> I work for Amazon, AWS in particular, and this statement does not
> accurately represent how SES works. We do support email validation
> (
> http://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses.html
> )
> and DNS validation. Additionally there are different considerations
> for email and certificates.
>
> I can assure that AWS does not agree with CERT's summary that email in
> insufficient for domain verification for certificate issuance.
>
> Thanks,
> Peter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150331/3d6c7347/attachment-0003.html>
More information about the Public
mailing list