On Sat, 17 May 2025, Grant Taylor via mailop wrote:
On 5/17/25 9:55 AM, Andrew C Aitchison via mailop wrote:
How would the pulic CA know which user on your domain actually sent the
request ? Validation proves the domain but trusts that the domain is
honest about the localpart.
The same way that CAs have been providing S/MIME certificates for decades.
Send a nonce to the email address that's being validated and require said
nonce to be provided back to the CA in a form / reply / etc.
No.
I have some confidence that an email to example.com
wont be received at example.org,
but how confident can I be that secret...@example.net and b...@example.net
do not have access to the mailbox b...@example.net ?
As a CA I would find that a difficult extension to stake my business on
and would want an out-of-band (ie non-email) channel.
In addition to the increased volume and the lower level of
technical experience that client certificates may bring,
I imagine that this can of worms has contributed to Let's Encrypt
opting out.
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
