Peter Bowen wrote:
On Sun, Mar 22, 2015 at 4:18 PM, Kathleen Wilson <[email protected]> wrote:
admin@domain
administrator@domain
webmaster@domain
hostmaster@domain
postmaster@domain
What do you all think?
(Note this is also in Baseline Requirements section 11.1.1)
It is hard to know which to remove without any data on how customers
are using these today. I would guess that admin & administrator are
the more problematic ones, as they are not covered in any RFCs. The
other three are in http://tools.ietf.org/html/rfc2142.
Sorry for the late reply.
But the main problem in the cases mentioned before was that one of those local
parts could be freely chosen for the domain. So the really hard requirement
is: The domain owner must blacklist all those white-listed local parts when
users can choose their e-mail address for a domain. The CA cannot do much
about it.
If one thinks about removing some of the local parts from the white-list the
hope is to raise the *likelihood* that the local part is already blocked by
the true domain owner and cannot be freely chosen. Ideally if a CA sends a
challenge to such an administrative e-mail address a cautious admin could
notice a possible fraud and additionally inform the CA what's going on.
Hmm, relying on one admin e-mail alias seems to be not really sufficient. So
how about sending separate validation challenge e-mails to more than one of
those white-list addresses? This would also raise the likelihood of hitting a
reserver mailbox.
How about requiring three challenge mails to admin mailbox addresses?
Or how about an even broader weighted list and a minimum treshold?
Being domain owner I would not mind the extra work grabbing more than one
e-mail from my domain admin catch-all mailbox.
Ciao, Michael.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
