On Tue, Oct 22, 2019 at 4:23 PM Ryan Sleevi <mailto:r...@sleevi.com> wrote: > On Tue, Oct 22, 2019 at 6:31 PM Wayne Thayer via dev-security-policy > <mailto:dev-security-policy@lists.mozilla.org> wrote: >> Thanks Dimitris and Rufus. Would it satisfy your concern if the requirement >> was changed to: >> >> The CA SHALL NOT delegate validation of the Base Domain Name (as defined in >> the Baseline Requirements) portion of an email address.
Thanks Wayne, I like the new wording. > If the CA has validated "mycompany.example", associated with account > "mycompany", what is the expectation for 'localpart'? > > Interpretation 1) The CA MAY delegate validation of the localpart to > 'mycompany'. However, 'mycompany' MUST take reasonable measure ... > Interpretation 2) By validating 'mycompany' as to have control over > 'mycompany.example', the CA has taken reasonable measure. No further > validation requirements > exist for the localpart, provided it is directed by the 'mycompany' account, > as 'mycompany' is seen to implicitly have control over the MX records. > > I'm not sure Interpretation #2 fully holds (e.g. if the CA were using > something like 3.2.2.4.6 or a non-DNS-based challenge), but I think it was > trying to get at whether > (CA || mycompany) needs to perform some validation step for 'localpart' once > the validation for the domain part is done. I simply want to avoid to come into the situation, that I as the operator of an internal Enterprise PKI have to do some additional email validation on our own mailboxes. We do have 350 k users, if the validation process fails only at 1% of them, we have 3500 help desk tickets. One last remark: I might be the only one, but I'm not 100% sure what the "this verification" at the end of the last sentence refers to. Is "this verification" (a) the verification of the Authorization Domain Name, (b) the verification of the email address or (c) both together? If it is (b), as I believe, I would move the whole sentence, starting from "The CA's CP/CPS...", after the first sentence (ending with "the account holder's behalf"). With best regards, Rufus Buschart Siemens AG Siemens Operations Information Technology Value Center Core Services SOP IT IN COR Freyeslebenstr. 1 91058 Erlangen, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com http://www.twitter.com/siemens https://siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
