On Sat, 17 May 2025, Grant Taylor via mailop wrote:
On 5/17/25 9:55 AM, Andrew C Aitchison via mailop wrote:
How would the pulic CA know which user on your domain actually sent the
request ? Validation proves the domain but trusts that the domain is
honest about the localpart.
The same way that CAs have been providing S/MIME certificates for decades.
Send a nonce to the email address that's being validated and require said
nonce to be provided back to the CA in a form / reply / etc.
No.
I have some confidence that an email to example.com
wont be received at example.org,
but how confident can I be that [email protected] and [email protected]
do not have access to the mailbox [email protected] ?
As a CA I would find that a difficult extension to stake my business on
and would want an out-of-band (ie non-email) channel.
In addition to the increased volume and the lower level of
technical experience that client certificates may bring,
I imagine that this can of worms has contributed to Let's Encrypt
opting out.
--
Andrew C. Aitchison Kendal, UK
[email protected]
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
