On 01/06/17 13:45, Ryan Sleevi wrote: > The reason why I don't think it's a valid reasoning is that if we accept > that this provision in the policy could be read to cover such emails, then > we're implicitly agreeing that the act of clicking that email is performing > a validation function pursuant to 3.2.2.4 of the Baseline Requirements.
Well, yes, probably. This text is in the Mozilla policy and the above is in the Baseline Requirements, but I can see how this logic works. > Ergo, every customer of that CA who uses that method is acting as a > Delegated Third Party, performing the validation functions of 3.2.2.4 - > since, by logical extension, they're performing the validation function of > 3.2.2.4 on their account - and all the attendant mess that it entails. That's a good point. Perhaps this leads to the solution? We say: "enforce multi-factor authentication for all accounts capable of causing certificate issuance or performing RA or DTP functions as defined by the Baseline Requirements" ? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy