Now that the Symantec TLS distrust is essentially behind us, we're working on migrating all of the s/MIME certificates to DigiCert hierarchies. Once this is complete, the browsers can remove the legacy Symantec roots completely. In my new compliance role, I'm looking at how to create a smooth, but compliant, transition process. One major question I had while reviewing some of the systems is the frequency of s/MIME cert reverification. Nothing is specified in the policy that I could see. I thought I'd raise the question here to see if there's a policy somewhere else or if Mozilla wants to consider an official policy in one of its next updates.
Some systems look like they verify the email address/domain name at issuance and then never again for the same account. Other systems verify the email address and domain every 825 days. The last set verifies the email address each time a certificate is issued. I think each are equally compliant, but the set-it-and-forget it method doesn't seem in the spirit of ensuring control over the email address. Is there guidance on how often this reverification should occur? Thanks for the input. Jeremy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy