On 18/4/2018 12:04 πμ, Jeremy Rowley via dev-security-policy wrote:
Having to go through captchas to even get the email sent is just another obstacle in getting the CA a timely certificate problem report
Nowadays, people deal with captchas all the time in various popular web sites. I don't understand this argument. Is someone wants to file a certificate problem report, they will take the extra "seconds" to pass the "I am not a robot" test :)
Mail servers receive tons of SPAM everyday and an email address target is a very easy target for popular CAs. We should also consider the possibility of accidental "spam labeling" of a certificate problem report via email.
I believe CAs should include the necessary information for receiving Certificate Problem Reports in section 1.5.2 of their CP/CPS and this should be required by the Mozilla Policy for consistently. The same applies for the "high-priority" Certificate Problem Reports as mandated in 4.10.2 of the BRs.
Dimitris. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy