Von: Wayne Thayer <wtha...@mozilla.com> On Thu, Oct 24, 2019 at 10:33 AM Buschart, Rufus <mailto:rufus.busch...@siemens.com> wrote: >> One last remark: I might be the only one, but I'm not 100% sure what the >> "this verification" at the end of the last sentence refers to. >> Is "this verification" (a) the verification of the Authorization Domain >> Name, (b) the verification of the email address or (c) both together? >> If it is (b), as I believe, I would move the whole sentence, starting from >> "The CA's CP/CPS...", after the first sentence (ending with "the >> account holder's behalf"). > > I would argue that (a) is a subset of (b) and there is no difference between > (b) and (c), but the intent is (c).
Your statement is, in my opinion, totally correct for external CAs. But the scenario I have in my mind is a little bit different: In my scenario, there is a Root CA that is included in the Root stores serving the general public and an internal issuing CA only serving "mycompany". In this scenario, Root CA issues a name-constrained S/MIME-issuing CA certificate to the internal CA of "mycompany" after this CA has proven control over the DNS records for "mycompany.example". This proof of control should be based on the methods from BRG 3.2.2.4. (taking Ryans remark about the problems of http- validation for this scenario into account). The internal CA issues only S/MIME end-entity-certificates for mailboxes under @mycompany.example. Now we have (a) and (b) as totally separated sets of verifications. In this scenario, I would expect, that the root CA describes (a) and the internal issuing CA describes (b) in their CP/CPS. > If a CA issues both TLS and > S/MIME certificates, their CPS could simply state that the domain component > is validated using the same methods as used for TLS. For a > CA that only issues S/MIME certificates, I want to see the methods used to > validate the domain part documented - especially given that > they aren't subject to the BRs - along with the methods used to validate the > local part or the entire address. Maybe > Would changing "this" to "email address" but leaving that sentence after the > domain part requirements make it clear? That would read: > > "The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to > perform email address verification." If you think, that the scenario described above is covered by the proposed sentence I'd happy with it, but I'm not totally sure if it is covered. And while writing this email, I think I found one more problem: You are using the term "email account holder" which isn't defined anywhere. Who is the "email account holder" for john.doe@mycompany.example? Is it John Doe or is it "mycompany"? And in the case of john.doe@public-mail-provider.example? Is it John Doe or the "public mail provider"? I think we need a definition, ideally based on the terms "Subject" and "Subscriber". Or we replace "email account holder" with one of the two terms? /Rufus Siemens AG Siemens Operations Information Technology Value Center Core Services SOP IT IN COR Freyeslebenstr. 1 91058 Erlangen, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com http://www.twitter.com/siemens https://siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
