Hi Doug,

On 20/07/17 13:04, Doug Beattie wrote:
> Since there is no BR equivalent for issuance of S/MIME certificates (yet), 
> this is all CAs have to go on.  I was curious if you agree that all of these 
> methods meet the above requirement:

As you might imagine, this question puts me in a difficult position. If
I say that a certain method does meet the requirement, I am making
Mozilla policy up on the fly (and while on holiday ;-). If I say it does
not, I would perhaps panic a load of CAs into having to update their
issuance systems for fear of being dinged for misissuance.

It is unfortunate that there is no BR equivalent for email. However, I'm
not convinced that the best way forward is for Mozilla to attempt to
write one by degrees in response to questioning from CAs :-) I think the
best thing for you to do is to look at your issuance processes and ask
yourself whether you would be willing to stand up in a court of law and
assert that they were "reasonable measures". When thinking about that,
you could perhaps ask yourself whether you were doing any things which
had been specifically outlawed or deprecated in an SSL context by the
recent improvements in domain validation on that side of the house.

dev-security-policy mailing list

Reply via email to