As you note, the focus on gmail.com is to entirely miss the point of paypal.com - and virtually every other organizational identity out there that wishes to sign their certificates.
Further, even when using 'hosted' mail provisioning, it's possible to use S/MIME, possibly even with auto-enrollment (and even server-mediated S/MIME - https://support.google.com/a/answer/6374496?hl=en ). It's the same distinction between, say, Google AppEngine (in which Google manages the certs and TLS termination) versus Google Cloud Platform (in which you could fully terminate TLS in your VM with your own domain). On Tue, May 15, 2018 at 9:21 PM, Phillip Hallam-Baker via dev-security-policy <[email protected]> wrote: > When I wrote CAA, my intention was for it to apply to SSL/TLS certs only. > I did not consider S/MIME certs to be relevant precisely because of the > [email protected] problem. > > I now realize that was entirely wrong and that there is in fact great > utility in allowing domain owners to control their domains (or not). > > If gmail want to limit the issue of Certs to one CA, fine. That is a > business choice they have made. If you want to have control of your online > identity, you need to have your own personal domain. That is why I have > hallambaker.com. All my mail is forwarded to gmail.com but I control my > identity and can change mail provider any time I want. > > One use case that I see as definitive is to allow paypal to S/MIME sign > their emails. That alone could take a bite out of phishing. > > But even with gmail, the only circumstance I could see where a mail > service provider like that would want to restrict cert issue to one CA > would be if they were to roll out S/MIME with their own CA. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
