On 04/18/2018 10:51 PM, Dimitris Zacharopoulos via dev-security-policy wrote: >> 1 - it's easier. I have seen CAs use generic "support request" forms that >> are difficult to decipher, especially when not in one's native language. >> 2 - It scales better. When someone is trying to report the same >> problem to >> a number of CAs, one email is better than filling out a bunch of forms >> 3 - It automatically creates a record of the submission. Many forms >> provide >> the user no confirmation unless they remember to take a timestamped >> screen >> shot. >> > > Despite the arguments for email, there are equally good arguments for > web form submission. IMHO, both should be allowed. A CA could start with > email but if the spam volume becomes out of control, the CA might switch > to a web form solution and all we need to do is define the minimum > "properties" of such a solution. In all cases, CAs should maintain > up-to-date information for Certificate Problem Report submission methods > in CCADB.
Although I much prefer email as a submission method myself, another argument is actually security. Given that most users (sadly) still don't use OpenPGP or S/MIME, a web form allows encrypted submissions. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
