On 01/05/17 09:55, Gervase Markham wrote: > "Each entry in permittedSubtrees must either be or end with a Public > Suffix." (And we'd need to link to publicsuffix.org)
Aargh. This should, of course, be "Public Suffix + 1" - i.e. an actual domain owned by someone. > The second option is harder to spec, because I don't know the uses to > which TCSCs for email are put. Is the idea that they get handed to a > customer, and so it's OK to say that the domain names have to be > validated as being owned by the entity which has authority to command > issuance? Or are there scenarios I'm missing? CAs who issue email certs need to pay attention here, as I want to close this loophole but am at risk of making policy which does not suit you, if you do not engage in this discussion. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
