On Mon, Oct 21, 2019 at 7:01 PM Ryan Sleevi <r...@sleevi.com> wrote:
>
> On Mon, Oct 21, 2019 at 7:58 PM Wayne Thayer <wtha...@mozilla.com> wrote:
>
>> The CA MUST verify all e-mail addresses using a process that is
>>> substantially similar to the process used to verify domain names, as
>>> described in the Baseline Requirements.
>>>
>>
>> This seems problematic because it could be interpreted as forbidding an
>> email challenge-response validation, not to mention that "substantially"
>> leaves a lot of room for interpretation.
>>
>
> Yeah, this was more about short-hand matching the existing 2.2
> requirements for validation, which leave "reasonable measures" as the
> validation requirement (i.e. even more room for interpretation ;D)
>
>
>> The CA SHALL NOT delegate validation of the domain part of an e-mail
>>> address.
>>>
>>
>> This is
>> https://github.com/mozilla/pkipolicy/commit/85ae5a1b37ca8e5138d56296963195c3c7dec85a
>>
>
> Sounds good. This was your proposed response to solving this issue back on
> May 13, so it's full circle :)
>
>
I'm going to consider this issue resolved unless there are further comments.
>> The CA SHALL NOT delegate validation of the local part of an e-mail
>>> address
>>> except when delegating to an Enteprise RA, provided that the domain part
>>> of
>>> the e-mail address is within the Enteprise RA's verified Domain
>>> Namespace.
>>>
>>>
>> This seems to go beyond the original intent of this issue and the
>> discussion to-date, and Enterprise RAs are not defined in the context of
>> S/MIME certificates. Why is the existing language in section 2.2(2)
>> insufficient to cover this requirement?
>>
>
> Your original proposal seemed to entirely do away with this ("Delegating
> this function to 3rd parties is not permitted."). I was trying to capture
> the subset for the use case folks identified (including my initial reply to
> your proposal, back on May 13), while still being more prescriptive.
>
> The issue/concern would be a CA reads that they shall not delegate the
> domain portion, but don't realize it /also/ means they can't delegate
> 'total' validation, since the full e-mail also contains a domain part. i.e.
> that I can't delegate validating sleevi.example, but I can totally delegate
> validating ryan@sleevi.example since that's not delegating "just" a
> domain part, but delegating validation a "total" email.
>
> It's contrived, I agree, but it was trying to match your original, much
> more restrictive language, of not allowing any delegation of e-mail.
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
