On Fri, Oct 07, 2016 at 09:05:37PM +0200, Jakob Bohm wrote: > On 07/10/2016 19:14, Kathleen Wilson wrote: > >On Thursday, October 6, 2016 at 4:27:10 PM UTC-7, Peter Bowen wrote: > >>It isn't > >>clear to me that the subordinate CA disclosure rule even applies to > >>e-mail only roots. > > > >We consider roots with only the email trust bit enabled to be technically > >constrained, such that their subCAs don't need to be disclosed. > > But they are not constrained as to what e-mail addresses they can > certify and at what trust level. An EV-like e-mail certificate (in > mozilla terms) is usually the same as an e-signature legally binding > person certificate (in national/regional legislative terms), making > them in some ways much more powerful than web certificates.
Are there any legislation that says, "any trust anchor in the Mozilla store with the e-mail trust bit turned on is automatically a valid signature trust anchor", though? I'd expect that legislative frameworks would be at least a *little* more prescriptive in their standards for identity verification for digital signatures, and a trust anchor's compliance with *those* standards would be far more important than whether or not it's in the Mozilla trust store. That's not to say that having more rigorous standards for inclusion in the Mozilla root store with e-mail bit enabled wouldn't be good to have, but I doubt that "legally binding e-signature" is a meaningful argument. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
