On Thu, 11 Aug 2016 19:08:25 +0100 "Robin Alden" <[email protected]> wrote:
> Simplicity is certainly a powerful aid to security. > I like the text-only idea for the DCV emails. Would you be interested in working on a proposal on that for the CA/B-Forum? (I'm not allowed to post there, so I can't directly have that disucssion.) I'm a bit disappointed that this incident hasn't caused more discussion. I think the domain validation process is one of the most sensitive pieces of the CA ecosystem and should receive extra security care. And the verification emails are an extremely common way of doing domain validation. > Not containing any user controlled content is a harder sell, I think, > because we really want to give the domain owner all the information > we can about the certificate request that has been submitted. I understand that use-case, yet I still see a significant risk in any user-controlled content even in text-only mails (there are most likely mail implementations out there that can be tricked into rendering html inside a text-only mail). I wonder if user-controlled content could at least be restricted to customers that have some kind of long-term relationship with a CA, e.g. through payment, contracts etc. Because that business case doesn't seem to be like something that the average "I want to get a cert quick, cheap (free) and easy" use case. If forbidding user-controlled content is a no-go for some I'd like to see at the very least some very clear and specific guidelines on how to filter or escape them. What I'd like to have is something that can be checked and pointed out by security researchers if it isn't done. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: BBB51E42
pgpzFGffHEink.pgp
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
