Pedro Fuentes wrote: > Just to say that looking at this from Europe, I don't see this feasible. > > Citizens getting their personal eIDAS-compliant certificate go through > face-to-face validation and will give virtually any valid e-mail address to > appear in their certificate. >
Then that is a problem with eIDAS certificates not with CAA - eIDAS certificates identify the person, and (assuming that email validation is even performed) that they have temporary control of an email address, but if the email is on a corporate domain this does nothing to address the issuance against policies of that company. >From this point of view, an email address should not even be part of an eIDAS >certificate (and thus CAA would not apply), but an email is usually included >for convenience. (why?) This is because the eIDAS regulation 910/2014 does not contain the words "e-mail", "email" or "message" at all. (!!!) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014R0910 As it is now, it is even possible to use and 'verify control' of anonymous disposable email services (e.g. mailinator) for an eIDAS certificate because the CA TSP doesn't care about the email or domain policies. As is noted on the GitHub issue, many providers of free email services have been careful to avoid deploying CAA for the domain names used by their email users, but some have deployed restrictive CAA policies that might affect their users if CAA checking is done (e.g. Yahoo, Yandex). ~~~~ Adrian R. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
