> Today this is a "non-issue" because nothing is obligating CAs to respect > CAA, > and thus they can (and are) doing the thing that helps them issue more > certificates (and, presumably, make more money) - but that doesn't > necessarily > mean its the right thing.
I can think of at least one CA that values "# of right things done" more highly than "# of certificates issued". Actually, I can think of two or three. There are probably more. > Yes, it means that introducing CAA restrictions for > S/MIME necessarily means there will need to be a way to distinguish these > cases, so that an organization could restrict e-mail vs HTTPS - so CAs that > wish > to issue S/MIME should start working on these. Right. CAA-bis is a pre-requisite here. As Neil correctly notes, it would be foolish to try to impose semantics and apply policy from the web CAA records onto email certificate issuance without first figuring out what the semantics, requirements and policies should be for email certificate issuance. -Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy