Ryan Sleevi suggested a wording clarification/policy extension to the multi-factor auth requirement, from:
"enforce multi-factor authentication for all accounts capable of directly causing certificate issuance" to "enforce multi-factor authentication for all accounts capable of causing certificate issuance or performing validation functions" The goal here was to cover RAs performing validation functions. Although we are moving towards not permitting third parties to perform domain or IP address ownership validation, it still seems to be to be a good improvement that accounts involving certificate issuance or the input of data into what will become an issued certificate should be multi-factor protected. This is: https://github.com/mozilla/pkipolicy/issues/60 ------- This is a proposed update to Mozilla's root store policy for version 2.5. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.4.1 (current version): https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy