[cabfpub] BR 3.2.2.4.4 question
Ryan Sleevi
sleevi at google.com
Thu Oct 12 21:28:25 UTC 2017
No, they're an explicit whitelist, much like ports. That's precisely the
security risk - introducing other values creates other risk, as we've seen
through multiple CA 'not authorized' issuances in which they used an email
not on the whitelist (as they predated the whitelist).
We should be reducing that whitelist. But it's very much explicit ASCII
characters, in that capitalization, with no opportunity for
reinterpretation :)
On Thu, Oct 12, 2017 at 5:06 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:
> That was my thoughts as well, but I thought it might make a good
> discussion. I see them as keywords, not as words set in a particular
> language.
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Thursday, October 12, 2017 3:04 PM
> *To:* Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Subject:* Re: [cabfpub] BR 3.2.2.4.4 question
>
>
>
>
>
>
>
> On Thu, Oct 12, 2017 at 5:00 PM, Jeremy Rowley via Public <
> public at cabforum.org> wrote:
>
> Section 3.2.2.4.4 states that CAs can validate an email by “(i) sending an
> email to one or more addresses created by using 'admin', 'administrator',
> 'webmaster', 'hostmaster', or 'postmaster' as the local part, followed by
> the at‐ sign ("@"), followed by an Authorization Domain Name, (ii)
> including a Random Value in the email, and (iii) receiving a confirming
> response utilizing the Random Value”.
>
>
>
> Recently, we’ve been getting requests to send the email to the Spanish
> word for administrator (“Administrador” according to Google translate – I
> don’t speak Spanish). I don’t think this is permitted because the BRs
> specifically state that the five key email words permitted. Should
> translations of those words be allowed?
>
>
>
> Absolutely not :)
>
>
>
> These were allocated because they're either reserved (webmaster,
> hostmaster, postmaster) or because the CABF made them up based on past
> practices (admin, administrator). CAs absolutely should not be extending
> this list :)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171012/191aecde/attachment-0003.html>
More information about the Public
mailing list