On 5/13/19 10:24 AM, Wayne Thayer wrote:
The BRs forbid delegation of domain and IP address validation to third
parties. However, the BRs don't forbid delegation of email address
validation nor do they apply to S/MIME certificates.
Delegation of email address validation is already addressed by Mozilla's
Forbidden Practices [1] state:
"Domain and Email validation are core requirements of the Mozilla's Root
Store Policy and should always be incorporated into the issuing CA's
procedures. Delegating this function to 3rd parties is not permitted."
I propose that we move this statement (changing "the Mozilla's Root Store
Policy" to "this policy") into policy section 2.2 "Validation Practices".
This is https://github.com/mozilla/pkipolicy/issues/175
I will appreciate everyone's input on this proposal.
- Wayne
[1]
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Delegation_of_Domain_.2F_Email_Validation_to_Third_Parties
All,
As the person who filed the Github issue for this, I would like to
provide some background and my opinion.
Currently the 'Delegation of Domain / Email Validation to Third Parties'
section of the 'Forbidden Practices' page says:
"This is forbidden by the Baseline Requirements, section 1.3.2.
Domain and Email validation are core requirements of the Mozilla's Root
Store Policy and should always be incorporated into the issuing CA's
procedures. Delegating this function to 3rd parties is not permitted."
Based on the way that section is written, it appears that domain
validation (and the BRs) was the primary consideration, and that the
Email part of it was an afterthought, or added later. Historically, my
attention has been focused on TLS certs, so it is possible that the
ramifications of adding Email validation to this section was not fully
thought through.
I don't remember who added this email validation text or when, but I can
tell you that when I review root inclusion requests I have only been
concerned about making sure that domain validation is not being
delegated to 3rd parties. It wasn't until a representative of a CA
brought this to my attention that I realized that there has been a
difference in text on this wiki page versus the rules I have been trying
to enforce. That is when I filed the github issue.
I propose that we can resolve this discrepancy for now by removing "/
Email Validation" from the title of the section and removing "and Email"
from the contents of the section.
Unless we believe there are significant security reasons to add our own
S/MIME required/forbidden practices at this time, my preference is to
wait for the CA/Browser Forum to create the S/MIME Working Group, and
for that group to identify the S/MIME baseline requirements. Then we can
add policy and required/forbidden practices based on the S/MIME BRs
provided by that group.
I do realize that my proposal is unfair to CAs who have been diligently
following this section of this wiki page. Your diligence is appreciated,
and your contributions to this discussion will also be appreciated.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
