On 19/05/17 14:58, Jakob Bohm wrote: > Because the O and other dirname attributes may be shown in an e-mail > client (current or future) as a stronger identity than the technical > e-mail address.
Do you know of any such clients? > Imagine a certificate saying that [email protected] is "CN=Gervase > Markham, O=Mozilla Corporation, ST=California, CN=US", issued by a > SubCA name constrained to "@wosign.cn", but not to any range of DNs. Surely such a certificate would be misissued? Although I guess the issue here is that we are excluding them from scope... So the idea would be to say that dirName had to be constrained to either be empty (is that possible?) or to contain a dirNames validated as correctly representing an organization owning at least one of the domain name(s) in the cert? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
