On Thu, Dec 13, 2018 at 09:50:21AM -0800, pedro.wisekey--- via dev-security-policy wrote: > For S/MIME capability itself, we are required to ensure that "the entity > submitting the request controls the email account associated with the > email address referenced in the certificate", so by merely making the > process to require the user to access his email account to, for example, > download the renewed certificate it seems to be enough, as any other > method like a bounce-back message could probably get to the same result.
That seems rather backwards. You're issuing the certificate and *then* validating control of the e-mail address. I doubt that issuing a TLS server certificate and then performing domain control validation would be considered acceptable, and I don't imagine there's enough of a difference in S/MIME certificates to make it acceptable for those, either. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
