On Mon, May 13, 2019 at 1:25 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> The BRs forbid delegation of domain and IP address validation to third > parties. However, the BRs don't forbid delegation of email address > validation nor do they apply to S/MIME certificates. > > Delegation of email address validation is already addressed by Mozilla's > Forbidden Practices [1] state: > > "Domain and Email validation are core requirements of the Mozilla's Root > Store Policy and should always be incorporated into the issuing CA's > procedures. Delegating this function to 3rd parties is not permitted." > > I propose that we move this statement (changing "the Mozilla's Root Store > Policy" to "this policy") into policy section 2.2 "Validation Practices". > > This is https://github.com/mozilla/pkipolicy/issues/175 > > I will appreciate everyone's input on this proposal. > > - Wayne > This strikes me as tricky to get right, because an e-mail contains both a local-part and a domain (to use the terminology from RFC 5322, 3.4.1) [1] Under the SSL/TLS model, we do allow partial (conceptual) delegation of domain validation, with respect to Section 1.3.2 of the BRs [2] ("The CA SHALL confirm that the requested Fully-Qualified Domain Name(s) are within the Enterprise RA's verified Domain Namespace") and the use of "Authorization Domain Names". I say it's partial, because the CA still has certain obligations (such as CAA checking), but otherwise can allow an external entity to represent subdomains as authorized, without requiring additional control validation. I highlight this, because in the context of S/MIME, the question is whether or not the CA is responsible for validating the local-part, or whether it may delegate validation of that to the operator of the domain. The semantics of the local-part are entirely at the responsibility of the holder - they can, for example, dictate that local-parts are equivalent based on the presence of full-stop (".") characters, or they might even designate equivalence based on the presence of some token (for example, the use of "+label"), both examples taken from Gmail/GSuite, but which have since expanded among industry. I think it's fairly reasonable to designate an organization as an Enterprise RA, in the S/MIME sense, allowing them to control issuance for arbitrary local-parts if they've demonstrated control over the domain (and thus, correspondingly, the primary MX records). Is this something you think is reasonable to continue supporting, or is this something you'd like to prohibit? Understanding your/Mozilla's goals would help figure out productive next steps - whether to convince you otherwise ;) or to provide draft language accounting for it. [1] https://tools.ietf.org/html/rfc5322#section-3.4.1 [2] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.5.pdf _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
