On 05/05/17 19:44, Dimitris Zacharopoulos wrote: > * MUST include an EKU that has the id-kp-emailProtection value AND > * MUST include a nameConstraints extension with > o a permittedSubtrees with > + rfc822Name entries scoped in the Domain (@example.com) or > Domain Namespace (@example.com, @.example.com) controlled by > an Organization and
It's this part that I'm looking for good wording for to make sure I don't accidentally exclude valid use cases. > + dirName entries scoped in the Organizational name and location Help me understand how dirName interacts with id-kp-emailProtection? > (a) For each rfc822Name in permittedSubtrees, the CA MUST confirm that > the Applicant has registered the Domain or Domain Namespace or has been > authorized by the domain registrant to act on the registrant's behalf in > line with the verification practices of section 3.2.2.4. > (b) For each DirectoryName in permittedSubtrees the CA MUST confirm the > Applicants and/or Subsidiary’s Organizational name and location such > that end entity certificates issued from the subordinate CA Certificate > will be in compliance with section 7.1.2.4 and 7.1.2.5. Does anyone see problems with this language? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
