On 07/10/2016 19:14, Kathleen Wilson wrote:
On Thursday, October 6, 2016 at 4:27:10 PM UTC-7, Peter Bowen wrote:
On Thu, Oct 6, 2016 at 3:57 PM, Richard Barnes wrote:
I seem to recall we had some discussion a while back about what criteria
should be applied to email CAs. Where did we end up on that?
I don't believe anything was settled. There is one small item in the CA policy:
"for a certificate to be used for digitally signing or encrypting
email messages, the CA takes reasonable measures to verify that the
entity submitting the request controls the email account associated
with the email address referenced in the certificate or has been
authorized by the email account holder to act on the account holder’s
behalf;"
Other than that, I don't think there are any requirements.
Correct. When we had the discussion about removing trust bits, the consensus
was that we should continue supporting the email trust bit.
I think the long term intent is for the CAB Forum to eventually be structured
in such a way that a working group of those interested in S/MIME certs would be
formed to create Baseline Requirements for that type of cert. But, that's
really a discussion for the CAB Forum.
So for now, we continue to review such CAs to make sure there aren't any
obvious show-stoppers, and that the email address to be included in the certs
is verified to be owned/controlled by the cert subscriber.
It isn't
clear to me that the subordinate CA disclosure rule even applies to
e-mail only roots.
We consider roots with only the email trust bit enabled to be technically
constrained, such that their subCAs don't need to be disclosed.
But they are not constrained as to what e-mail addresses they can
certify and at what trust level. An EV-like e-mail certificate (in
mozilla terms) is usually the same as an e-signature legally binding
person certificate (in national/regional legislative terms), making
them in some ways much more powerful than web certificates.
Especially considering the ongoing discussion of cross-signatures of a
CA that might be distrusted, disclosure of e-mail only cross signatures
and e-mail only subCAs still need to be disclosed in order to maintain
root program integrity.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
