I don't agree that the CA MUST validate EVERY field. CAs leverage enterprise RAs to validate some information in SMIME certificates, e.g., the subscribers name in the CN field because the CA can't readily validate that. I believe the same is true for some other fields like the UPN which is the active directly account, but I thought I'd start a discussion to see what people thought.
Doug -----Original Message----- From: Kurt Roeckx <k...@roeckx.be> Sent: Thursday, February 6, 2020 4:06 PM To: Doug Beattie <doug.beat...@globalsign.com> Cc: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Which fields containing email addresses need to be validated? On Thu, Feb 06, 2020 at 08:54:04PM +0000, Doug Beattie via dev-security-policy wrote: > It's not against Mozilla policy to > issue certificates with unvalidated email addresses in any field as > long as the Secure Mail EKU is not included, so the intent should be > to validate only those that are used for Secure Mail. Any field in the certificate should be validated. If it contains an email address, it should be validated. If it's not validated, it should get removed. Kurt
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy