On Mon, May 13, 2019 at 2:09 PM Pedro Fuentes via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Piggybacking to Ryan's message and putting into my mundane words, I'd say > that is reasonable to say that a CA must not delegate the validation of > what is after the @ in the email address, but I think it's totally > admissible to let the domain owner (and typically email service provider) > to assume the task to issue certificates to its users without further > intervention of the CA once the domain part has been validated. > > Just my two cents... > > Pedro > > El lunes, 13 de mayo de 2019, 19:58:46 (UTC+2), Ryan Sleevi escribió: > > On Mon, May 13, 2019 at 1:25 PM Wayne Thayer via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > > > The BRs forbid delegation of domain and IP address validation to third > > > parties. However, the BRs don't forbid delegation of email address > > > validation nor do they apply to S/MIME certificates. > > > > > > Delegation of email address validation is already addressed by > Mozilla's > > > Forbidden Practices [1] state: > > > > > > "Domain and Email validation are core requirements of the Mozilla's > Root > > > Store Policy and should always be incorporated into the issuing CA's > > > procedures. Delegating this function to 3rd parties is not permitted." > > > > > > I propose that we move this statement (changing "the Mozilla's Root > Store > > > Policy" to "this policy") into policy section 2.2 "Validation > Practices". > > > > > > This is https://github.com/mozilla/pkipolicy/issues/175 > > > > > > I will appreciate everyone's input on this proposal. > > > > > > - Wayne > > > > > > > This strikes me as tricky to get right, because an e-mail contains both a > > local-part and a domain (to use the terminology from RFC 5322, 3.4.1) [1] > > > > Under the SSL/TLS model, we do allow partial (conceptual) delegation of > > domain validation, with respect to Section 1.3.2 of the BRs [2] ("The CA > > SHALL confirm that the requested Fully-Qualified Domain Name(s) are > within > > the Enterprise RA's verified Domain Namespace") and the use of > > "Authorization Domain Names". I say it's partial, because the CA still > has > > certain obligations (such as CAA checking), but otherwise can allow an > > external entity to represent subdomains as authorized, without requiring > > additional control validation. > > > > I highlight this, because in the context of S/MIME, the question is > whether > > or not the CA is responsible for validating the local-part, or whether it > > may delegate validation of that to the operator of the domain. The > > semantics of the local-part are entirely at the responsibility of the > > holder - they can, for example, dictate that local-parts are equivalent > > based on the presence of full-stop (".") characters, or they might even > > designate equivalence based on the presence of some token (for example, > the > > use of "+label"), both examples taken from Gmail/GSuite, but which have > > since expanded among industry. > > > > I think it's fairly reasonable to designate an organization as an > > Enterprise RA, in the S/MIME sense, allowing them to control issuance for > > arbitrary local-parts if they've demonstrated control over the domain > (and > > thus, correspondingly, the primary MX records). Is this something you > think > > is reasonable to continue supporting, or is this something you'd like to > > prohibit? Understanding your/Mozilla's goals would help figure out > > productive next steps - whether to convince you otherwise ;) or to > provide > > draft language accounting for it. > > > The goal of this issue is to move a currently "required practice" into the formal policy so that we don't have requirements that aren't explicitly called out in policy. However, everyone has made it clear that the current statement is too vague to add to our policy. I think we can rely on the BRs to set forth the requirements for TLS certificates. If we are going to craft a policy for S/MIME, I agree that we should permit delegation of the local-part. The resulting language could be: CAs MUST NOT delegate validation of the domain name part of an email address to a 3rd party. Thoughts? > [1] https://tools.ietf.org/html/rfc5322#section-3.4.1 > > [2] > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.5.pdf > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
