I liked your previous version better, if it had to be updated. It would sound like you're suggesting "Enterprise RA" accounts should not use multi-factor authentication, but given that they're part of the scope of audited activities (that the CA must directly oversee), the use of multi-factor authentication seems both entirely appropriate and necessary to maintaining the integrity of such systems.
So my preference was 1) Originally worded 2) "performing RA or DTP functions" ... 3) This wording :P On Fri, Jun 2, 2017 at 6:00 AM, Gervase Markham <g...@mozilla.org> wrote: > On 01/06/17 13:59, Gervase Markham wrote: > > Perhaps this leads to the solution? We say: > > > > "enforce multi-factor authentication for all accounts capable of causing > > certificate issuance or performing RA or DTP functions as defined by the > > Baseline Requirements" > > or "enforce multi-factor authentication for all accounts capable of > either causing certificate issuance or performing validation functions, > for certificates containing domains not owned or controlled by the > account holder" > > Gerv > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
