Normally I’d agree that IETF cannot and should not be a blocker for action at Mozilla and/or CABF, but based on our experience with CAA for web certificates, I would encourage people to get in their time machines and go back two to three years, and listen to Tim standing up and saying “I like CAA for the Web PKI, but what have we not thought of?”
-Tim From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Monday, May 14, 2018 8:24 PM To: Tim Hollebeek <tim.holleb...@digicert.com> Cc: r...@sleevi.com; Pedro Fuentes <pfuente...@gmail.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: question about DNS CAA and S/MIME certificates I don't actually think there is any IETF component to this. There can be, but it's not required to be. On Mon, May 14, 2018 at 6:20 PM, Tim Hollebeek via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: There’s an IETF component, but minimum necessary standards for email certificate issuance is a policy issue, not a technical one. Somewhere, it needs to say “CAs issuing e-mail certificates MUST check CAA in accordance with CAA-bis.” -Tim With CABF governance reform coming into effect on July 3rd, I'm cautiously optimistic we can start writing requirements for e-mail certificates and phasing out bad practices and phasing in good practices soon. CAA for e-mail certificates is definitely worth considering as part of that process. Isn't this an IETF issue? Shouldn't those who issue e-mail certificates begin looking at the level of authentication provided for domains today? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy