On Friday, 31 March 2017 17:27:34 UTC+1, tarah.s...@gmail.com  wrote:
> I'm Tarah. I am the Principal Security Advocate and Senior Director of 
> Engineering at Symantec Website Security (the certificate authority.

Hello Tarah,

Regular readers of m.d.s.policy will not be surprised that the news media 
doesn't do a great job of explaining problems with the Web PKI.

As so often I have questions, none of which involve kittens or Ferris Bueller 
but instead today focus on QuickInvite URLs.

1. Symantec's own web site describes "Quick Invite" in several places, I 
presume this is the same QuickInvite system you're talking about. It explains 
that "The Quick Invite Duration default expiration time is 30 days, but can be 
set during the sending of the invite" with a maximum of one year. Presumably 
this is simply obsolete documentation, or else it refers to some other feature 
under a similar name? If the former, I am happy to provide the URLs where I 
found this, are you able to ensure they get updated or removed ?

2. What was the designed purpose of the QuickInvite URL / the QuickInvite 
system itself ? I appreciate that for you its purpose is very obvious as you've 
spent time up to your neck in it, but to me it's still rather opaque. Let me 
set out some possible actors in our play, and hopefully you can tell me which 
actors arrange for the URL to be sent out, which actors receive it, and what 
they can do with it. That last is quite important. If the list I provide is 
inadequate feel free to invent more people, just explain what they do.

Exam PLE is a small business with a web site, www.example.com
Andrea is the sysadmin at Exam PLE
Betty is Alice's boss, her details are listed in WHOIS for example.com
Catherine is an employee at the CA, Symantec
Jo is an SSL reseller, she offers cheap Symantec certs
Valorie is a seemingly helpful person who answers Andrea's queries on Q&A sites
Wendy runs a web hosting business, she runs the servers www.example.com uses
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to