On 16/03/17 17:20, douglas.beat...@gmail.com wrote: > Yes, RAs (trusted role employees) need to have the technical ability > to manually add domains to accounts. They can verify domains in one > of the 10 different methods and some of those involve manually > looking in who-is for registrant info, using a DAD or in calling the > contact. When one of these is used, we collect the vetting data then > the RA can add/approve that domain.
But is the addition of the domain gated on the uploading/attachment/submission of what could plausibly be vetting data? I mean, I understand you can't programmatically check that a person has made a phone call. But you can require them to write a report of the results of that phone call and not allow addition of the domain until they've done it. Yes, they could just put "flibbertigibbet" into the text box, but that at least shows they are deliberately bypassing the process. If the addition is so gated, what did the employee in this case do? Did they upload bogus data? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy