On 20/04/2017 21:15, Ryan Sleevi wrote:
Gerv,
I must admit, I'm not sure I understand what you consider irrelevant
reasons for 4.9.1 in the context of e-mail addresses.
The only one I can think of is
"7. The CA is made aware that a Wildcard Certificate has been used to
authenticate a fraudulently misleading
subordinate Fully-Qualified Domain Name;"
But that's because such e-mail CAs are effectively wildcards (e.g. they can
issue for subdomains, unless a nameconstraint includes a leading . to
indicate for host not domain)
I believe this is about end certificates, not constrained Intermediary
CA certificates.
But given that e-mail addresses include Domain portions (after all, that is
the definition, localpart@domain), and Fully-Qualified Domain Name doesn't
imply a sAN of type dNSName, this all seems... ok as is?
Technically, the part after the @ could also be a bang!path, though
this is rare these days.
So maybe some wording in the Mozilla e-mail end cert requirements for
how the phrase "Domain Name" in the TLS cert BRs maps to rfc822-names.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
