On 2/28/19 12:52 AM, Jeremy Rowley wrote: > 4. The validation agent specified the approval scope as id-addr.arpa which is > normal for a domain approved by the admin listed in WHOIS. As a constructed > email, the approval scope should have been limited to the scope set by the > constructed address.
One specific question on this point: Why did the software permit setting the approval scope to a public suffix (as defined by inclusion on the public suffix list)? Could validation agent action set the approval scope to some other two-label public suffix like co.uk? -George Macon _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy