On Wednesday, September 7, 2016 at 10:43:34 AM UTC-7, Han Yuwei wrote: > I raise this question because of the Wosign's incident about high port > validating. Many CA use email validating such as send a email to > [email protected], or put a specific file into the root of website. > What I think is that this cannot validate *domain* is yours. It just > verified you have the mail server or you control the host. The best way to > prove you own a domain is to change the DNS records of the domain. > So I suggest to change domain validating method to verify DNS records. Is > that feel better?
Hi, It sounds like you may not be familiar with the Baseline Requirements, which specifically spell out how to validate domains - https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.9.pdf This already covers the specific set of email addresses that are reserved/acceptable to be used, the methods of file based validation, and other forms of DNS record-based validation. This was the result of a nearly 2 year effort to strengthen the requirements, and while it's far from being as rock solid as we might want, it hopefully provides a better path to prevent many of the mistakes made. To understand specifically what changed recently, perhaps review https://cabforum.org/2016/08/05/ballot-169-revised-validation-requirements/ If you have any further concerns, you could certainly raise them to the CA/Browser Forum - [email protected] - or by signing up as an Interested Party, as explained at https://cabforum.org/email-lists/ and in the Forum's Bylaws - but it's likely that you would find many concerns have already been discussed or are in the process of being discussed. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
