Mozilla policy section 2.2(2) requires validation of email addresses for S/MIME certificates, but doesn't require disclosure of these practices as it does for TLS certificates.
I propose adding the following language from 2.2 (3) (TLS) to 2.2(2) (S/MIME): The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification. This is: https://github.com/mozilla/pkipolicy/issues/114 ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy