On 5/4/2018 3:08 πμ, Wayne Thayer via dev-security-policy wrote:
I think the existing language in section 2.2(2) also supports the
federated authentication system use case you described. It says that the CA
"takes reasonable measures to verify that the entity submitting the request
controls the email account associated with the email address referenced in
the certificate". If a CA first confirms that it is a condition of a
particular federated authentication system that a user must have proven
control over the email account that constitutes their username to activate
their account, then requires that user to prove they can authenticate in to
the account, I think that meets the "reasonable" standard, even though a
threat analysis might determine that the method is insufficient for various

I would like to add to Wayne's post by saying that Federated Authentication (oauth, SAML, etc) can be (and is) widely used, however it's up to the CA to evaluate each IDentity Provider (IDP) before accepting them as a "Qualified Information Source", to ensure they are consistent with the CA's Policy and Practices for the quality of information included in the response assertions. Each IDP must also be periodically evaluated by the CA for quality assurance purposes.

dev-security-policy mailing list

Reply via email to