Kissaki - 2013-05-11

You mean an association between the email address and the email address from the strong cert?
I don’t think we should blindly trust in even strong certs providing an email address the user owns.

What qualifies as a strong cert? One that is signed by a CA in the used CA list, right?
So if an attacker can add his cert to the list of CAs he could sign certs to crack accounts by providing the appropriate email address.