> I’m not sure I see how 1 addresses this risk by itself. Are you thinking about this in isolation, or combined with some other mitigations (like RPKI and DNSSEC)? And, if combining, do we really need 1 to bind the method, versus something like account binding?
Yes, I assume that there is DNSSEC or the nameserver has RPKI, but the website ISP/hosting provider does not. I think that there might be many such cases. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0d4bea47-a784-4ced-8f49-97d41394a9ffn%40mozilla.org.
