Hello Wayne:
The current wording in section 2.2 "Validation Practices" of the Mozilla Root Store Policy says: 2. For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification. Does the proposed change seek to replace that text - or to clarify that only the CA may perform the verifications? Something like this ... 2. For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures, which must not be delegated to a third party, to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification. Regards, Stephen -----Original Message----- From: dev-security-policy <[email protected]> On Behalf Of Wayne Thayer via dev-security-policy Sent: Monday, May 13, 2019 2:25 PM To: Mozilla <[email protected]> Subject: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates The BRs forbid delegation of domain and IP address validation to third parties. However, the BRs don't forbid delegation of email address validation nor do they apply to S/MIME certificates. Delegation of email address validation is already addressed by Mozilla's Forbidden Practices [1] state: "Domain and Email validation are core requirements of the Mozilla's Root Store Policy and should always be incorporated into the issuing CA's procedures. Delegating this function to 3rd parties is not permitted." I propose that we move this statement (changing "the Mozilla's Root Store Policy" to "this policy") into policy section 2.2 "Validation Practices". This is https://github.com/mozilla/pkipolicy/issues/175 I will appreciate everyone's input on this proposal. - Wayne [1] https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Delegation_of_Domain_.2F_Email_Validation_to_Third_Parties _______________________________________________ dev-security-policy mailing list [email protected]<mailto:[email protected]> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
