Eddy Nigg (StartCom Ltd.) wrote: > Well, I consider this the minimal technical validation required. > Identity/Organization validation for S/MIME implies prove of ownership > of the email account/address. Thunderbird doesn't validate the common > name or organization field, but the email address.
A fair point; it's the distinction between what the software checks (from address vs. address in cert) and what the person could check (name in cert). > Considering for a minute your statement above, what are the CAs in > question doing in order to guaranty domain/email ownership? What are the > controls in place which let them rely on identity validation only? This is where I think we need further investigation, and is partly why I suggested talking to some people in the Netherlands familiar with use of these certs. It may be that certs issued to individuals by these CAs in the context of Dutch law, business and government services, etc., are primarily used in non-email contexts (e.g., client authentication to SSL sites, digital signing of documents separate from email, etc.), and email addresses are put in the certs just for completeness. In any case, if it comes to that we can certainly move forward with this application for SSL and code signing, and leave the email trust bit turned off until such time as this gets sorted out. >> Staat der Nederlanden is not a legacy root in the sense of being >> approved in the Netscape days. I approved it myself a while back, though >> at the moment I can't recall whether it was before or after adoption of >> our current policy. >> > Nelson added this root at the 2005-04-11, certainly when the CA policy > already existed, but maybe still unapproved. Actually I approved the Staat der Nederlanden application back in September of 2004 (see bug 243424), but it didn't get added to NSS until several months later. At the time Staat der Nederlanden was approved we were in the midst of discussing a new CA policy, but hadn't yet finalized it. So during that period I was operating under an interim policy that basically matched Microsoft's policy at the time, of approving CAs based on completion of a WebTrust audit. That's why the issue of validating email account control didn't come up at that time. As for doing something about Staat der Nederlanden now, and in particular turning off the email trust bit for its certs, that warrants further discussion. Even if the CA is not in compliance with our current policy, I still have to balance that against the potential impact of having Staat der Nederlanden certs no longer work with S/MIME email in Thunderbird, etc. (Because disabling signed and encrypted email for an existing user base itself has security implications.) That's another reason why I'd like more input from people more familiar with how the certs are used in practice. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
