Hi Doug, On 20/07/17 13:04, Doug Beattie wrote: > Since there is no BR equivalent for issuance of S/MIME certificates (yet), > this is all CAs have to go on. I was curious if you agree that all of these > methods meet the above requirement:
As you might imagine, this question puts me in a difficult position. If I say that a certain method does meet the requirement, I am making Mozilla policy up on the fly (and while on holiday ;-). If I say it does not, I would perhaps panic a load of CAs into having to update their issuance systems for fear of being dinged for misissuance. It is unfortunate that there is no BR equivalent for email. However, I'm not convinced that the best way forward is for Mozilla to attempt to write one by degrees in response to questioning from CAs :-) I think the best thing for you to do is to look at your issuance processes and ask yourself whether you would be willing to stand up in a court of law and assert that they were "reasonable measures". When thinking about that, you could perhaps ask yourself whether you were doing any things which had been specifically outlawed or deprecated in an SSL context by the recent improvements in domain validation on that side of the house. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy