On Thu, Feb 11, 2021 at 1:11 PM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I have a question (if I should write it in Bugzilla instead please say > so it is unclear to me what the correct protocol is) > While Mozilla Policy permits discussion in both, I will say it's significantly easier when the discussion is on Bugzilla to ensure the feedback is considered and promptly responded to. So if you want to consider posing your questions there, that's really helpful for posterity. If, for example, it became necessary to discuss a set of issues for a CA, Bugzilla incident reports are going to be the primary source of the incident report and discussion, and unless there's a clear link *on the bug* to such mailing list discussion, it will no doubt be overlooked. So I'd say feel free to ask your question there, which helps make sure it's answered before the issue is closed. > I also have noticed something that definitely isn't (just) for > GlobalSign. It seems to me that the current Ten Blessed Methods do not > tell issuers to prevent robots from "clicking" email links. We don't > need a CAPTCHA, just a "Yes I want this certificate" POST form ought to > be enough to defuse typical "anti-virus", "anti-malware" or automated > crawling/ cache building robots. Maybe I just missed where the BRs > tell you to prevent that, and hopefully even without prompting all > issuers using the email-based Blessed Methods have prevented this, > Yes, this has been raised previously in the Forum by Peter Bowen (then at Amazon), as part of the discussion and input with respect to the validation methods. This is one of many outstanding items still for the Validation Working Group of the CA/B Forum, as possible mitigations were also discussed. In short, "capability URLs" (where the entire URL is, in effect, the capability) are dangerous. Note that there have been far more than "Ten Blessed Methods" since those discussions, so perhaps it's clearer to just say 3.2.2.4. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy