On 20/08/2018 10:06, pekka.lahtiha...@teliasonera.com wrote:
In our implementation E value in our certificates was "true" if it passed our technical and visual verification. If the BR requirement is to do "any" verification for E then the verification techniques we used should be OK. We think that BR has meant that both OU and E are based on values defined by Applicant and it is not mandatory to do any email send/response verification. How do you conclude that BR words "has been verified by the CA" actually means that some email has to be sent? In our opinion E is just a support email address and its verification is not similar to important subject fields like O,L or C but can be compared to OU verification.
This is a basic X.509 and certificate concept, I have not checked if the BRs specifically mention requirements for the "e-mail" field in distinguished names in TLS certificates. But validation must, as a matter of 1st principles, be an actual validation, not some person going "looks fine". Remember, every certificate is the CA (in this case Telia) signing a statement to the world at large that "We, Telia-Sonera AB, hereby swear that we have verified every fact here stated to the best of our ability, and you can rely on these facts without doing any checking of your own". The BRs merely add specific requirements for CAB/F browser members to consider a CA operation to be good enough that their browser will be configured to trust that CA for any end-user not manually overriding that decision. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
