I'm forwarding this for Tim because the list rejected it as SPAM.
*From:* Tim Hollebeek *Sent:* Monday, April 2, 2018 2:22 PM *To:* 'mozilla-dev-security-policy' <mozilla-dev-security-policy@ lists.mozilla.org> *Subject:* Complying with Mozilla policy on email validation Mozilla policy currently has the following to say about validation of email addresses in certificates: “For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder’s behalf.” “If the certificate includes the id-kp-emailProtection extended key usage, then all end-entity certificates MUST only include e-mail addresses or mailboxes that the issuing CA has confirmed (via technical and/or business controls) that the subordinate CA is authorized to use.” “Before being included and periodically thereafter, CAs MUST obtain certain audits for their root certificates and all of their intermediate certificates that are not technically constrained to prevent issuance of working server or email certificates.” (Nit: Mozilla policy is inconsistent in it’s usage of email vs e-mail. I’d fix the one hyphenated reference) This is basically method 1 for email certificates, right? Is it true that Mozilla policy today allows “business controls” to be used for validating email addresses, which can essentially be almost anything, as long as it is audited? (I’m not talking about what the rules SHOULD be, just what they are. What they should be is a discussion we should have in a newly created CA/* SMIME WG) -Tim _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy