> -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > [email protected]] On Behalf Of Kurt > Roeckx > Sent: 12 November 2015 11:41 > To: [email protected] > Subject: Re: Clarify that a ccTLD is not acceptable in permittedSubtrees > > On 2015-11-11 19:46, Steve Roylance wrote: > > Hypothetically, a government organization wishing to issue S/MIME > > certificates to citizens on a range of ccTLD based domains could be > > technically constrained through the inclusion of EKU's > > I just wondering how you would imagine this would work. Would said > government also host the email, possibly delegating that to some corporation? > Or could citizen just go to their government and ask it to issue a certificate for their > existing email address? > > I guess you talk about the first case. In which case I expect that to be constrained > to some other subdomain. If you argue that there might be more of such > subdomains, I expect a CA for each of those subdomains.
[Steve Roylance] Agreed, and if known to be a specific set of domains then these can be added as a group (if all owners agree) or individually > > The 2nd case is probably not going to work since a lot of people might not have a > email address with the right ccTLD. [Steve Roylance] - I'm expecting the second with the government doing a challenge response on the e-mail (Business means) as well as only supporting specific in country e-mail domains. As you say, it's possibly not practical in real terms hence the hypothetical, but we want to know what's possible before we enter into discussions and choose (in good faith) to add a ccTLD constraint that others deem to be bad practice. If .com and .net are requirement then I agree there's no point. I appreciate the initial feedback. > > > Kurt > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
