Re: Which fields containing email addresses need to be validated?

2020-02-07 Thread Ryan Sleevi via dev-security-policy
On Fri, Feb 7, 2020 at 7:55 AM douglas.beattie--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, February 6, 2020 at 6:05:20 PM UTC-5, Ryan Sleevi wrote: > > (Replying from the correct e-mail) > > > > On Thu, Feb 6, 2020 at 3:55 PM Doug Beattie via

Re: Which fields containing email addresses need to be validated?

2020-02-07 Thread douglas.beattie--- via dev-security-policy
On Thursday, February 6, 2020 at 6:05:20 PM UTC-5, Ryan Sleevi wrote: > (Replying from the correct e-mail) > > On Thu, Feb 6, 2020 at 3:55 PM Doug Beattie via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > We should clarify the Mozilla policy to more clearly define

Re: Which fields containing email addresses need to be validated?

2020-02-06 Thread Ryan Sleevi via dev-security-policy
(Replying from the correct e-mail) On Thu, Feb 6, 2020 at 3:55 PM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We should clarify the Mozilla policy to more clearly define list of fields > containing email address (those 3 listed above) must be validated

Re: Which fields containing email addresses need to be validated?

2020-02-06 Thread Kurt Roeckx via dev-security-policy
On Thu, Feb 06, 2020 at 09:31:40PM +, Doug Beattie via dev-security-policy wrote: > I don't agree that the CA MUST validate EVERY field. CAs leverage > enterprise RAs to validate some information in SMIME certificates, e.g., the > subscribers name in the CN field because the CA can't readily

RE: Which fields containing email addresses need to be validated?

2020-02-06 Thread Doug Beattie via dev-security-policy
is the active directly account, but I thought I'd start a discussion to see what people thought. Doug -Original Message- From: Kurt Roeckx Sent: Thursday, February 6, 2020 4:06 PM To: Doug Beattie Cc: mozilla-dev-security-policy Subject: Re: Which fields containing email addresses need

Re: Which fields containing email addresses need to be validated?

2020-02-06 Thread Kurt Roeckx via dev-security-policy
On Thu, Feb 06, 2020 at 08:54:04PM +, Doug Beattie via dev-security-policy wrote: > It's not against Mozilla policy to > issue certificates with unvalidated email addresses in any field as long as > the Secure Mail EKU is not included, so the intent should be to validate > only those that are

Which fields containing email addresses need to be validated?

2020-02-06 Thread Doug Beattie via dev-security-policy
The Mozilla policy section 2.2 says: * . the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate. Since the Mozilla policy only applies to certificates with the EKU of