On Fri, Oct 25, 2019 at 6:44 PM Buschart, Rufus <rufus.busch...@siemens.com> wrote:
> Your statement is, in my opinion, totally correct for external CAs. But > the scenario I have in my mind is a little bit different: In my scenario, > there is > a Root CA that is included in the Root stores serving the general public > and an internal issuing CA only serving "mycompany". In this scenario, Root > CA issues a name-constrained S/MIME-issuing CA certificate to the internal > CA of "mycompany" after this CA has proven control over the DNS records for > "mycompany.example". This proof of control should be based on the methods > from BRG 3.2.2.4. (taking Ryans remark about the problems of http- > validation for this scenario into account). The internal CA issues only > S/MIME end-entity-certificates for mailboxes under @mycompany.example. > Now we have (a) and (b) as totally separated sets of verifications. In > this scenario, I would expect, that the root CA describes (a) and the > internal > issuing CA describes (b) in their CP/CPS. > Sure, this seems to be permitted under the most recent commit ( https://github.com/mozilla/pkipolicy/commit/0a63f457c059365103e48ad3eb409cd376903e51 )? Provided that both entities disclose the reasonable measures, and that root CA doesn't delegate the domain portion, the policy is met? > And while writing this email, I think I found one more problem: You are > using the term "email account holder" which isn't defined anywhere. Who > is the "email account holder" for john.doe@mycompany.example? Is it John > Doe or is it "mycompany"? And in the case of > john.doe@public-mail-provider.example? Is it John Doe or the "public mail > provider"? I think we need a definition, ideally based on the terms > "Subject" and "Subscriber". Or we replace "email account holder" with one > of the two terms? Isn't it handled within that same sentence? "the entity submitting the request controls the email account associated with the email address referenced in the certificate" seems like it should be clear that the "email account holder" (the following clause) is "the entity that controls the email account associated with the email address" (since it's handling the situation where the applicant is not that entity) The clunkier reword (not a fan, but seeing how you feel about this, Rufus) would be "the entity submitting the request is *either* the entity that controls the email account associated with the email address referenced in the certificate *or* has been authorized by the entity that controls the email address referenced within the certificate" That avoids introducing the backreference term, but is a mouthful. I'm assuming you meant Applicant and not Subscriber, since we're talking pre-issuance validation ;) As to which is it - is it the MX admin/domain admin or the individual meat person - it seems that the answer is either/or/both, at least from the perspective of RFC 822. The meat-person may control the account, or the admin of the account may themselves control the account, or the admin of the domain may control the MX that controls the account. In all cases, they control the email account associated. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
