On 2015-11-11 19:46, Steve Roylance wrote:
Hypothetically, a government organization wishing to issue S/MIME certificates to citizens on a range of ccTLD based domains could be technically constrained through the inclusion of EKU's
I just wondering how you would imagine this would work. Would said government also host the email, possibly delegating that to some corporation? Or could citizen just go to their government and ask it to issue a certificate for their existing email address?
I guess you talk about the first case. In which case I expect that to be constrained to some other subdomain. If you argue that there might be more of such subdomains, I expect a CA for each of those subdomains.
The 2nd case is probably not going to work since a lot of people might not have a email address with the right ccTLD.
Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
