On 8/5/2017 1:18 μμ, Gervase Markham wrote:
On 05/05/17 19:44, Dimitris Zacharopoulos wrote:
* MUST include an EKU that has the id-kp-emailProtection value AND
* MUST include a nameConstraints extension with
o a permittedSubtrees with
+ rfc822Name entries scoped in the Domain (@example.com) or
Domain Namespace (@example.com, @.example.com) controlled by
an Organization and
It's this part that I'm looking for good wording for to make sure I
don't accidentally exclude valid use cases.
+ dirName entries scoped in the Organizational name and location
Help me understand how dirName interacts with id-kp-emailProtection?
When the Subscriber belongs to an Organization that needs to be included
in the subjectDN.
Dimitris.
(a) For each rfc822Name in permittedSubtrees, the CA MUST confirm that
the Applicant has registered the Domain or Domain Namespace or has been
authorized by the domain registrant to act on the registrant's behalf in
line with the verification practices of section 3.2.2.4.
(b) For each DirectoryName in permittedSubtrees the CA MUST confirm the
Applicants and/or Subsidiary’s Organizational name and location such
that end entity certificates issued from the subordinate CA Certificate
will be in compliance with section 7.1.2.4 and 7.1.2.5.
Does anyone see problems with this language?
Gerv
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
