On Thu, Oct 6, 2016 at 3:57 PM, Richard Barnes <rbar...@mozilla.com> wrote: > I seem to recall we had some discussion a while back about what criteria > should be applied to email CAs. Where did we end up on that?
I don't believe anything was settled. There is one small item in the CA policy: "for a certificate to be used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder’s behalf;" Other than that, I don't think there are any requirements. It isn't clear to me that the subordinate CA disclosure rule even applies to e-mail only roots. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy