On Thu, Dec 13, 2018 at 10:53 AM pedro.wisekey--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Maybe we should set clear grounds on what is verified and how, not only in > the frequency. > > I agree and think that creating piecemeal requirements is a bad idea. The CAB Forum is working on forming an S/MIME working group to develop baseline requirements, but that will take a long time. Do others think it would be a good idea to create a set of interim Mozilla requirements for S/MIME validation? For S/MIME capability itself, we are required to ensure that "the entity > submitting the request controls the email account associated with the email > address referenced in the certificate", so by merely making the process to > require the user to access his email account to, for example, download the > renewed certificate it seems to be enough, as any other method like a > bounce-back message could probably get to the same result. > > This is an interesting idea, and it leads to a question I have about Symantec's legacy processes: In cases where the control of the email address was only validated at first issuance, was there some rationale for never revalidating? Also, how was the initial validation performed? But if we talk in general about Personal Certificates and the certificate > contains the full name and other identity attributes like the organization > name, it's far more complex and right now totally unregulated, and the CA > is expected to apply some controls to ensure that any of these attributes > remain correct over time... So some criteria will need to be set at some > point. > > Mozilla policy is only concerned with TLS and S/MIME. And of course, most of us we provide MPKI services to companies that manage > certificates for the employees using an email address of the domains owned > by the company, so we should be able to rely on their HR processes to > ensure that a person bearing a corporate email address is actually an > active employee, without needing to enforce additional checks on our side. > > In other words, the CA only needs to verify that the MPKI Subscriber controls the domain name. So not an easy topic you Raised, Jeremy... > > Best, > Pedro > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
