Gerv,
Mozilla Policy 2.5 states this: For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf. Since there is no BR equivalent for issuance of S/MIME certificates (yet), this is all CAs have to go on. I was curious if you agree that all of these methods meet the above requirement: 1. On a per request basis (noting that some of these are overkill for issuance of a single certificate): a. 3.2.2.4.1 Validating the Applicant as a Domain Contact b. 3.2.2.4.2 Email, Fax, SMS, or Postal Mail to Domain Contact c. 3.2.2.4.3 Phone Contact with Domain Contact d. 3.2.2.4.4 Email to Constructed Address e. 3.2.2.4.5 Domain Authorization Document f. 3.2.2.4.6 Agreed-Upon Change to Website g. 3.2.2.4.7 DNS Change 2. On a per Domain basis. One approval is sufficient to approve issuance for certificates in this domain space since these represent administrator actions provided subsequent requests are all performed via authenticated channel to the CA <certificate management portal or API>. This approval would last until this customer notified the CA otherwise <or closed their account>: a. 3.2.2.4.1 Validating the Applicant as a Domain Contact b. 3.2.2.4.2 Email, Fax, SMS, or Postal Mail to Domain Contact c. 3.2.2.4.3 Phone Contact with Domain Contact d. 3.2.2.4.4 Email to Constructed Address e. 3.2.2.4.5 Domain Authorization Document f. 3.2.2.4.6 Agreed-Upon Change to Website g. 3.2.2.4.7 DNS Change 3. Assuming issuance to a service provider (email hosting entity like Microsoft, Yahoo or Google) that hosts email for many domains, CA verifies that the Email domain DNS MX record points to the hosting company which indicates the company has delegated email control to the hosting company. 4. A DNS TXT record for the domain indicating approval to issue email certificates, or perhaps a CAA record with a new tag like issuesmime which permits the CA to issue certificates to this domain <CA name such as globalsign.com>. Details in CA CPS. 5. A DNS TXT record for the domain indicating approval to issue email certificates, or perhaps a CAA record with a new tag like issuesmime which permits the email hosting company to issue certificates to this domain <hosting company name such as microsoft.com, yahoo.com, gmail.com>. Details in CA CPS Are there any other methods that you had in mind when writing this requirement? Since issuance needs to be WT audited, there should be some level of "agreement" on acceptable validation methods. Doug _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
