On Wednesday, December 12, 2018 at 7:59:46 PM UTC-5, Jeremy Rowley wrote: > Some systems look like they verify the email address/domain name at issuance > and then never again for the same account. Other systems verify the email > address and domain every 825 days. The last set verifies the email address > each time a certificate is issued. I think each are equally compliant, but > the set-it-and-forget it method doesn't seem in the spirit of ensuring > control over the email address. Is there guidance on how often this > reverification should occur?
We have implemented the 825-day rule from the SSL BRs to re-verify information for an S/MIME certificate. This rule is applied to the information in the subject DN and the email address/domain. As such, we have also implemented the 825-day reuse rule. This also allows the use of the same information for different certificate types. Bruce. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy