On Mon, May 14, 2018 at 1:10 PM, Tim Hollebeek via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Yes, but as you correctly point out, this should be taken care of as part > of the CAA-bis > effort. The original RFC had enough errors with respect to web > certificates; I think > it would be irresponsible to apply it to e-mail certificates right now > without carefully > considering the consequences. > > With CABF governance reform coming into effect on July 3rd, I'm cautiously > optimistic > we can start writing requirements for e-mail certificates and phasing out > bad practices > and phasing in good practices soon. CAA for e-mail certificates is > definitely worth > considering as part of that process. > Isn't this an IETF issue? Shouldn't those who issue e-mail certificates begin looking at the level of authentication provided for domains today? > > Slightly higher priority is making sure authenticated encryption modes are > used with > S/MIME, so people can't play silly games with CBC and harvested > ciphertexts. > Everything really needs to start transitioning away from CBC ... but I > digress. > Indeed, it would be extremely unfortunate if the CABF tried to prioritize the encryption modes over reliable certificate authentication, considering that the encryption modes are not related to the certificates themselves. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy