Hi Hanno,
Simplicity is certainly a powerful aid to security.
I like the text-only idea for the DCV emails.Not containing any user controlled content is a harder sell, I think, because we really want to give the domain owner all the information we can about the certificate request that has been submitted. We anticipate that in the Enterprise case it is of significant value to the applicant if the DCV email contains some information to assist the recipient of the DCV email to relate the certificate request to his organization's operation. A message such as this could save them a lot of time: "Required for https://svn.bambleweeny.net/trac/Project57/ticket/123, please phone Bob Kahn on extension #2719 if questions arise." Although I can see that this message looks pretty similar "Required for https://phishingsport.darknet/we_have_cookies, please phone Pete McNasty on +963-444-44444 if questions arise." and expecting the recipient to tell the difference between the two approaches pre-supposes a non-knuckle-dragging domain administrator. If we pass no user controlled content at all, the problem is that in the Enterprise case the domain administrator doesn't know who (within his organization) originated the certificate request. The domain administrator needs some out-of-band communication with the applicant to be certain that the certificate request originated within his organization. I suppose the problem there is really one of the Enterprise's policy in regard to the approval of issuance of certificates for its domains being up to scratch. Regards Robin Alden Comodo
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
