We do re-verify on every re-issuance and do not re-use verification information. But we are probably not the most typical example, as all our verification information are coming from HR systems.
With best regards, Rufus Buschart Siemens AG Information Technology Human Resources PKI / Trustcenter GS IT HR 7 4 Hugo-Junkers-Str. 9 90411 Nuernberg, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.twitter.com/siemens www.siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 > -----Ursprüngliche Nachricht----- > Von: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> Im > Auftrag von Jeremy Rowley via dev-security-policy > Gesendet: Donnerstag, 13. Dezember 2018 02:00 > An: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org> > Betreff: s/MIME certs and authentication > > Now that the Symantec TLS distrust is essentially behind us, we're working on > migrating all of the s/MIME certificates to DigiCert > hierarchies. Once this is complete, the browsers can remove the legacy > Symantec roots completely. In my new compliance role, I'm > looking at how to create a smooth, but compliant, transition process. One > major question I had while reviewing some of the systems is > the frequency of s/MIME cert reverification. Nothing is specified in the > policy that I could see. I thought I'd raise the question here to > see if there's a policy somewhere else or if Mozilla wants to consider an > official policy in one of its next updates. > > > > Some systems look like they verify the email address/domain name at issuance > and then never again for the same account. Other > systems verify the email address and domain every 825 days. The last set > verifies the email address each time a certificate is issued. I > think each are equally compliant, but the set-it-and-forget it method doesn't > seem in the spirit of ensuring control over the email > address. Is there guidance on how often this reverification should occur? > > > > Thanks for the input. > > Jeremy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy