On Mon, Apr 2, 2018 at 1:09 PM, Wayne Thayer <wtha...@mozilla.com> wrote:
> I'm forwarding this for Tim because the list rejected it as SPAM. > > > > *From:* Tim Hollebeek > *Sent:* Monday, April 2, 2018 2:22 PM > *To:* 'mozilla-dev-security-policy' <mozilla-dev-security-policy@l > ists.mozilla.org> > *Subject:* Complying with Mozilla policy on email validation > > > > > > Mozilla policy currently has the following to say about validation of > email addresses in certificates: > > > > “For a certificate capable of being used for digitally signing or > encrypting email messages, the CA takes reasonable measures to verify that > the entity submitting the request controls the email account associated > with the email address referenced in the certificate or has been authorized > by the email account holder to act on the account holder’s behalf.” > > > The paragraph above is from the Validation Practices section of policy. “If the certificate includes the id-kp-emailProtection extended key usage, > then all end-entity certificates MUST only include e-mail addresses or > mailboxes that the issuing CA has confirmed (via technical and/or business > controls) that the subordinate CA is authorized to use.” > > > This language is from the Technically Constrained section, and thus only applies in that case. This option is also no longer permitted due to the preceding paragraph of the policy that states: *Instead of complying with the above paragraph, intermediate certificates issued before 22nd June 2017 may, until 15th January 2018, comply with the following paragraph:* “Before being included and periodically thereafter, CAs MUST obtain certain > audits for their root certificates and all of their intermediate > certificates that are not technically constrained to prevent issuance of > working server or email certificates.” > > > > (Nit: Mozilla policy is inconsistent in it’s usage of email vs e-mail. I’d > fix the one hyphenated reference) > > > I've made a note to fix that in version 2.6. This is basically method 1 for email certificates, right? Is it true that > Mozilla policy today allows “business controls” to be used for validating > email addresses, which can essentially be almost anything, as long as it is > audited? > > > It's akin to method 1 or 5, but is not currently in effect. Here is the current requirement for technically constrained email certificates: *If the certificate includes the id-kp-emailProtection extended key usage, it MUST include the Name Constraints X.509v3 extension with constraints on rfc822Name, with at least one name in permittedSubtrees, each such name having its ownership validated according to section 3.2.2.4 of the Baseline Requirements <https://cabforum.org/baseline-requirements-documents/>.* In practice, this means that the option for using "business controls" to validate email addresses dies along with BR methods 1 and 5. > > > (I’m not talking about what the rules SHOULD be, just what they are. What > they should be is a discussion we should have in a newly created CA/* SMIME > WG) > > > As we've already discussed, the 2.6 requirement for CAs to disclose email validation practices should help with this. > > -Tim > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
