Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Mon, Oct 21, 2019 at 7:58 PM Wayne Thayer wrote: > The CA MUST verify all e-mail addresses using a process that is >> substantially similar to the process used to verify domain names, as >> described in the Baseline Requirements. >> > > This seems problematic because it could be interpreted

Re: Policy 2.7 Proposal: Clarify Revocation Requirements for S/MIME Certificates

Here are the proposed changes: * Reinstate Mozilla's revocation requirements for S/MIME certificates: https://github.com/mozilla/pkipolicy/commit/e6337bb76a4522da15aeb7c0862b6cc05d317814 (replacing the original 2.7 proposal with the older Root Store policy requirements) * Require revocation when a

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Sat, Oct 5, 2019 at 6:32 AM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Thanks Jeremy, Dimitris, > > It does help clarify. I think we're all on the same page: namely, in all > cases, the CA does the validation of (at minimum) the domain portion. > > I

Re: Policy 2.7 Proposal: Require EKUs in End-Entity Certificates

I've gone ahead and moved the effective date of this policy back to July 1, 2020: https://github.com/mozilla/pkipolicy/commit/7a879fe371844d265c484a8f0ce40fd255967c13 On Wed, Oct 2, 2019 at 6:04 PM Jeremy Rowley wrote: > I'm surprised any CA has heartburn over the EKU changes. Microsoft has >