Windows Live recently suffered a security incident because they didn't realize that email addresses like administrator@live.fi are considered "trusted": some certificate authorities will consider anyone can controls that email address to be the owner of the domain live.fi.
How do I obtain a list of email addresses that are considered "trusted"? Or, in other words, if I want to allow untrusted users to obtain email addresses at my domain, which email addresses do I need to prevent them from obtaining? Where do I get a list of all of those special email addresses that might be trusted by someone? Of course, there are many certificate authorities, so at a minimum, this list would need to include the union of everything that is trusted by any certificate authority anywhere.
I know RFC 2142 lists some reserved email addresses, but it looks like this is not enough: some certificate authorities trust additional email addresses that are not on this list.
Related but not the same: While searching the Internet for lists of reserved usernames and lists of usernames to block, I found the following additional resources: Is there a list of common usernames to reserve in a new system?, shouldbee's list, kwappa's list.
Aucun commentaire:
Enregistrer un commentaire