Piggybacking to Ryan's message and putting into my mundane words, I'd say that is reasonable to say that a CA must not delegate the validation of what is after the @ in the email address, but I think it's totally admissible to let the domain owner (and typically email service provider) to assume the task to issue certificates to its users without further intervention of the CA once the domain part has been validated.
Just my two cents... Pedro El lunes, 13 de mayo de 2019, 19:58:46 (UTC+2), Ryan Sleevi escribió: > On Mon, May 13, 2019 at 1:25 PM Wayne Thayer via dev-security-policy < > [email protected]> wrote: > > > The BRs forbid delegation of domain and IP address validation to third > > parties. However, the BRs don't forbid delegation of email address > > validation nor do they apply to S/MIME certificates. > > > > Delegation of email address validation is already addressed by Mozilla's > > Forbidden Practices [1] state: > > > > "Domain and Email validation are core requirements of the Mozilla's Root > > Store Policy and should always be incorporated into the issuing CA's > > procedures. Delegating this function to 3rd parties is not permitted." > > > > I propose that we move this statement (changing "the Mozilla's Root Store > > Policy" to "this policy") into policy section 2.2 "Validation Practices". > > > > This is https://github.com/mozilla/pkipolicy/issues/175 > > > > I will appreciate everyone's input on this proposal. > > > > - Wayne > > > > This strikes me as tricky to get right, because an e-mail contains both a > local-part and a domain (to use the terminology from RFC 5322, 3.4.1) [1] > > Under the SSL/TLS model, we do allow partial (conceptual) delegation of > domain validation, with respect to Section 1.3.2 of the BRs [2] ("The CA > SHALL confirm that the requested Fully-Qualified Domain Name(s) are within > the Enterprise RA's verified Domain Namespace") and the use of > "Authorization Domain Names". I say it's partial, because the CA still has > certain obligations (such as CAA checking), but otherwise can allow an > external entity to represent subdomains as authorized, without requiring > additional control validation. > > I highlight this, because in the context of S/MIME, the question is whether > or not the CA is responsible for validating the local-part, or whether it > may delegate validation of that to the operator of the domain. The > semantics of the local-part are entirely at the responsibility of the > holder - they can, for example, dictate that local-parts are equivalent > based on the presence of full-stop (".") characters, or they might even > designate equivalence based on the presence of some token (for example, the > use of "+label"), both examples taken from Gmail/GSuite, but which have > since expanded among industry. > > I think it's fairly reasonable to designate an organization as an > Enterprise RA, in the S/MIME sense, allowing them to control issuance for > arbitrary local-parts if they've demonstrated control over the domain (and > thus, correspondingly, the primary MX records). Is this something you think > is reasonable to continue supporting, or is this something you'd like to > prohibit? Understanding your/Mozilla's goals would help figure out > productive next steps - whether to convince you otherwise ;) or to provide > draft language accounting for it. > > [1] https://tools.ietf.org/html/rfc5322#section-3.4.1 > [2] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.5.pdf _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
