Maybe we should set clear grounds on what is verified and how, not only in the frequency.
For S/MIME capability itself, we are required to ensure that "the entity submitting the request controls the email account associated with the email address referenced in the certificate", so by merely making the process to require the user to access his email account to, for example, download the renewed certificate it seems to be enough, as any other method like a bounce-back message could probably get to the same result. But if we talk in general about Personal Certificates and the certificate contains the full name and other identity attributes like the organization name, it's far more complex and right now totally unregulated, and the CA is expected to apply some controls to ensure that any of these attributes remain correct over time... So some criteria will need to be set at some point. And of course, most of us we provide MPKI services to companies that manage certificates for the employees using an email address of the domains owned by the company, so we should be able to rely on their HR processes to ensure that a person bearing a corporate email address is actually an active employee, without needing to enforce additional checks on our side. So not an easy topic you Raised, Jeremy... Best, Pedro _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy