Hi Rob, You either have a great memory or good search-fu; well done for digging this out!
On 12/04/17 22:14, Rob Stradling wrote: > Gerv, FYI what you're proposing here > (https://github.com/mozilla/pkipolicy/issues/69) was slated to appear in > v2.1 of the policy, but it was vetoed by Symantec. > > Here's why... > > https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/l1BAEHjKe8Q/mey4WREKpooJ Hmm. I note we didn't end up using Symantec's proposed text either. I'm not sure I entirely understand their objection. They wanted to confirm via "business controls" that the customer was authorized to issue email certs for the domain. What sort of thing might that be, and how is it different to a technical control? Does it just involve the customer pinky-swearing that it's OK for them to issue such certs? I can see that CAs might want to issue email certs for almost any domain, if the controller of an email address comes and asks for one. But in that sort of case, I wouldn't expect them to be using a TCSC. TCSCs are for "Hi, I'm Company X, and have 100,000 employees with @companyx.com email addresses, and want to issue them publicly-trusted email certs. Give me a TCSC for @companyx.com." Whereupon the CA would get them to prove they own that domain, then provide them with such a certificate. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy