> I think this bears expansion because I don't think it's been clearly > documented what flow you believe is currently permitted today that will be > prevented tomorrow with this change.
To be clear, In that statement was referring to that scenario being allowed under the proposed change where the mail provider who is authoritative for a domain can get certificates for its users. Specifically where Wayne suggested: "CAs MUST NOT delegate validation of the domain name part of an email address to a 3rd party." Are you suggesting with that change mail providers cannot get certificates for their users without the CA validating the local party? > The level of abstraction here doesn't > help, because understanding the state diagram of what the SAAS is > requesting, and who it's requesting it of, is vital to understanding the > security properties. I put together a quick diagram to try to visually explain the flow: https://www.dropbox.com/s/ocfow995aluowyl/auth%20redirect%20cert%20flow.png?dl=0 > I'm still at an absolute loss for understanding your flow and what you > believe is validated, so I do not feel able to evaluate these alternatives, > other than to note that I find problems with all of them. I'm hoping you > can, focusing solely on the CA validation process, describe who is > validating what, and when. Hopefully, the diagram helps to clarify if not let me know. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy