From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Thursday, June 1, 2017 8:46 AM To: Gervase Markham <g...@mozilla.org> Cc: Doug Beattie <doug.beat...@globalsign.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Policy 2.5 Proposal: Clarify requirement for multi-factor auth
> > "enforce multi-factor authentication for all accounts capable of > > directly causing certificate issuance" > > > > to > > > > "enforce multi-factor authentication for all accounts capable of > > causing certificate issuance or performing validation functions" > > Does anyone have suggestions as to how we can word this provision to > > make this distinction? > Do you think it's a valid reading to suggest that the e-mail confirmation > link is, in fact, performing > a validation function? > That is, I can appreciate the tortured reading that results in this - and I > can appreciate the desire > for greater clarity - but I'm not sure it's worth expending significant > effort on. In the worst case, a > CA who reads it like Doug suggests will result in a more secure system > (vis-a-vis the discussion in > the CA/Browser Forum regarding email scanning devices that 'click' on links). Yea, I didn’t really think that 2-factor auth needed to apply to this, but I don’t see how it applies to any of the automated domain validation processes either. When a user requests the validation of a domain we'll provide them a Random Number via email, or one that they need to incorporate into DNS, Test Certificate or web site change. Once the email is received or the random value is in place, the CA checks for this (maybe upon being asked by the partner or applicant). I don’t see any place in these processes where 2-factor auth is applicable. Even in a managed account where an authenticated Applicant says: "I want to add this domain to my account" and we provide a Random Number for them to use to demonstrate control I don’t see a need for 2-factor auth for that "account". I understand the increased importance on domain validation, but I'm not clear how we map this to domain validation at all, except perhaps for doing it manually via who-is by an RA (and RAs already need 2-factor auth). If this is the case, then in what cases do you see 2-factor auth being a requirement where it was not before? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy