On Thursday, October 6, 2016 at 4:27:10 PM UTC-7, Peter Bowen wrote: > On Thu, Oct 6, 2016 at 3:57 PM, Richard Barnes wrote: > > I seem to recall we had some discussion a while back about what criteria > > should be applied to email CAs. Where did we end up on that? > > I don't believe anything was settled. There is one small item in the CA > policy: > > "for a certificate to be used for digitally signing or encrypting > email messages, the CA takes reasonable measures to verify that the > entity submitting the request controls the email account associated > with the email address referenced in the certificate or has been > authorized by the email account holder to act on the account holder’s > behalf;" > > Other than that, I don't think there are any requirements.
Correct. When we had the discussion about removing trust bits, the consensus was that we should continue supporting the email trust bit. I think the long term intent is for the CAB Forum to eventually be structured in such a way that a working group of those interested in S/MIME certs would be formed to create Baseline Requirements for that type of cert. But, that's really a discussion for the CAB Forum. So for now, we continue to review such CAs to make sure there aren't any obvious show-stoppers, and that the email address to be included in the certs is verified to be owned/controlled by the cert subscriber. > It isn't > clear to me that the subordinate CA disclosure rule even applies to > e-mail only roots. > We consider roots with only the email trust bit enabled to be technically constrained, such that their subCAs don't need to be disclosed. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
