Hi Doug, On 20/06/17 16:31, Doug Beattie wrote: > I'd like to recommend a phase in of the requirement for technically > constrained CAs that issue Secure email certificates.
For those following along at home, that is this change: https://github.com/mozilla/pkipolicy/issues/69 https://github.com/mozilla/pkipolicy/commit/f96076a01ef10e5d6a84fa4b042227512925cb7c > We have 2 customers that can issue Secure Email certificates that are > not technically constrained with name Constraints (the EKU is > constrained to Secure Email and ClientAuth).> > One customer operates the CA within their environment and has been > doing so for several years. Even though we've been encouraging them to > move back to a Name Constrained CA or a hosted service, To be clear: this customer has the ability to issue email certificates for any email address on the planet, and they control their own intermediate in their own infrastructure? Do they have audits of any sort? What are their objections to moving to a hosted service? > The other customer complies the prior words in the Mozilla policy regarding > "Business Controls". We have an agreement with them where we issue them > Secure Email certificates from our Infrastructure for domains they host and > are contractually bound to using those certificates only for the matching > mail account. Due to the number of different domains managed and fact they > obtain certificates on behalf of the users, it's difficult to enforce > validation of the email address. We have plans to add features to this > issuance platform that will resolve this, but not in the near term. So even though this issuance is from your infrastructure, there are no restrictions on the domains they can request issuance from? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
