When I wrote CAA, my intention was for it to apply to SSL/TLS certs only. I did not consider S/MIME certs to be relevant precisely because of the al...@gmail.com problem.
I now realize that was entirely wrong and that there is in fact great utility in allowing domain owners to control their domains (or not). If gmail want to limit the issue of Certs to one CA, fine. That is a business choice they have made. If you want to have control of your online identity, you need to have your own personal domain. That is why I have hallambaker.com. All my mail is forwarded to gmail.com but I control my identity and can change mail provider any time I want. One use case that I see as definitive is to allow paypal to S/MIME sign their emails. That alone could take a bite out of phishing. But even with gmail, the only circumstance I could see where a mail service provider like that would want to restrict cert issue to one CA would be if they were to roll out S/MIME with their own CA. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy