On Tue, Feb 4, 2020 at 6:59 PM Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> All,
>
> https://wiki.mozilla.org/CA/Audit_Letter_Validation
> currently says:
> ""
> Acceptable remediation for an intermediate certificate missing BR audits
> may include one
(Replying from the correct e-mail)
On Thu, Feb 6, 2020 at 3:55 PM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> We should clarify the Mozilla policy to more clearly define list of fields
> containing email address (those 3 listed above) must be validated
On Thu, Feb 06, 2020 at 09:31:40PM +, Doug Beattie via dev-security-policy
wrote:
> I don't agree that the CA MUST validate EVERY field. CAs leverage
> enterprise RAs to validate some information in SMIME certificates, e.g., the
> subscribers name in the CN field because the CA can't readily
I don't agree that the CA MUST validate EVERY field. CAs leverage
enterprise RAs to validate some information in SMIME certificates, e.g., the
subscribers name in the CN field because the CA can't readily validate that.
I believe the same is true for some other fields like the UPN which is the
On Thu, Feb 06, 2020 at 08:54:04PM +, Doug Beattie via dev-security-policy
wrote:
> It's not against Mozilla policy to
> issue certificates with unvalidated email addresses in any field as long as
> the Secure Mail EKU is not included, so the intent should be to validate
> only those that are
The Mozilla policy section 2.2 says:
* . the CA takes reasonable measures to verify that the entity
submitting the request controls the email account associated with the email
address referenced in the certificate.
Since the Mozilla policy only applies to certificates with the EKU of
6 matches
Mail list logo
