On Sat, Oct 5, 2019 at 6:32 AM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Thanks Jeremy, Dimitris, > > It does help clarify. I think we're all on the same page: namely, in all > cases, the CA does the validation of (at minimum) the domain portion. > > I think it might be useful to think of this like the split between > Authorization Domain Name and Fully Qualified Domain Name. A CA isn't > /required/ to only use the ADN, they could validate just the FQDN and > always at the FQDN level. But, in both cases, they have to at least > validate (a portion of) the domain name. > > For S/MIME, the idea here is: > - If the CA had validated the domain portion, they could delegate the > validation of the local part to the RA. This is the same as the concept of > Enterprise RA, which allows the RA to handle the O/OU and other attributes, > as long as the CA validated the domain. > - Alternatively, the CA could validate the entire e-mail address (e.g. > using a random value) > > But in both cases, the CA is involved in any domain-part validation. > > Perhaps said differently: > It's not clear if you intended the following to be a concrete policy proposal, but I'll treat it as such. The CA MUST verify all e-mail addresses using a process that is > substantially similar to the process used to verify domain names, as > described in the Baseline Requirements. > This seems problematic because it could be interpreted as forbidding an email challenge-response validation, not to mention that "substantially" leaves a lot of room for interpretation. The CA SHALL NOT delegate validation of the domain part of an e-mail > address. > This is https://github.com/mozilla/pkipolicy/commit/85ae5a1b37ca8e5138d56296963195c3c7dec85a The CA SHALL NOT delegate validation of the local part of an e-mail address > except when delegating to an Enteprise RA, provided that the domain part of > the e-mail address is within the Enteprise RA's verified Domain Namespace. > > This seems to go beyond the original intent of this issue and the discussion to-date, and Enterprise RAs are not defined in the context of S/MIME certificates. Why is the existing language in section 2.2(2) insufficient to cover this requirement? I tried a couple variations of this (e.g. MAY delegate), but that could be > read as a loophole of allowing other forms of local-part delegation (i.e. > the "MAY" reads as "MAY use an Enterprise RA, or MAY use whatever else you > want", instead of "MAY" only if Enterprise RA) > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
