On 01/06/17 14:22, Doug Beattie wrote: > If this is the case, then in what cases do you see 2-factor auth being a > requirement where it was not before?
Well, Mozilla policy didn't require that all RA accounts had multi-factor, only those directly capable of causing certificate issuance. Maybe there was some other requirement somewhere which means this addition is redundant? An example of someone who didn't require it before who requires it now would be someone who did EV research into the correctness of the company information as supplied by the applicant, and marked it as "confirmed" in the system. This is "performing a validation function", but it's not "directly causing certificate issuance". Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy