This is one of the reasons I wanted to raise the issue. Issuing the cert and delivering to the email seems like a pretty common way to verify email certs (either you have access to the email or you don't), but this is backwards from TLS. Is this particular process a violation of the Mozilla policy?
Mozilla policy, Section 2.2 #2: "For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification." There's nothing that specifies the cert must be issued after the verifying control or that issuance can't be part of the verification process. Although this seems backwards, I still think it's compliant with the Mozilla policy. -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Matt Palmer via dev-security-policy Sent: Thursday, December 13, 2018 2:39 PM To: dev-security-policy@lists.mozilla.org Subject: Re: s/MIME certs and authentication On Thu, Dec 13, 2018 at 09:50:21AM -0800, pedro.wisekey--- via dev-security-policy wrote: > For S/MIME capability itself, we are required to ensure that "the > entity submitting the request controls the email account associated > with the email address referenced in the certificate", so by merely > making the process to require the user to access his email account to, > for example, download the renewed certificate it seems to be enough, > as any other method like a bounce-back message could probably get to the same result. That seems rather backwards. You're issuing the certificate and *then* validating control of the e-mail address. I doubt that issuing a TLS server certificate and then performing domain control validation would be considered acceptable, and I don't imagine there's enough of a difference in S/MIME certificates to make it acceptable for those, either. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy