The purpose of this E value and SAN-rfc822 value is completely different. The former is typically an information to server users where is its support. The latter for email messaging. Thus it is natural that the verification requirements of those two fields are also different (like they are).
I completely agree that verification of SAN-rfc822 has to be challenge-response or domain based but the same doesn't apply to this E which is only informative field like OU. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy