On 2017-05-19 14:18, Gervase Markham wrote:
Ryan Sleevi suggested a wording clarification/policy extension to the
multi-factor auth requirement, from:
"enforce multi-factor authentication for all accounts capable of
directly causing certificate issuance"
to
"enforce multi-factor authentication for all accounts capable of causing
certificate issuance or performing validation functions"
The goal here was to cover RAs performing validation functions. Although
we are moving towards not permitting third parties to perform domain or
IP address ownership validation, it still seems to be to be a good
improvement that accounts involving certificate issuance or the input of
data into what will become an issued certificate should be multi-factor
protected.
I'm wondering why something like this should be in the Mozilla policy
and not be part of something else that they get audited for.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
