I raise this question because of the Wosign's incident about high port
validating. Many CA use email validating such as send a email to
[email protected], or put a specific file into the root of website.
What I think is that this cannot validate *domain* is yours. It just verified
you have the mail server or you control the host. The best way to prove you own
a domain is to change the DNS records of the domain.
So I suggest to change domain validating method to verify DNS records. Is that
feel better?
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
