Thanks Jeremy, Dimitris, It does help clarify. I think we're all on the same page: namely, in all cases, the CA does the validation of (at minimum) the domain portion.
I think it might be useful to think of this like the split between Authorization Domain Name and Fully Qualified Domain Name. A CA isn't /required/ to only use the ADN, they could validate just the FQDN and always at the FQDN level. But, in both cases, they have to at least validate (a portion of) the domain name. For S/MIME, the idea here is: - If the CA had validated the domain portion, they could delegate the validation of the local part to the RA. This is the same as the concept of Enterprise RA, which allows the RA to handle the O/OU and other attributes, as long as the CA validated the domain. - Alternatively, the CA could validate the entire e-mail address (e.g. using a random value) But in both cases, the CA is involved in any domain-part validation. Perhaps said differently: The CA MUST verify all e-mail addresses using a process that is substantially similar to the process used to verify domain names, as described in the Baseline Requirements. The CA SHALL NOT delegate validation of the domain part of an e-mail address. The CA SHALL NOT delegate validation of the local part of an e-mail address except when delegating to an Enteprise RA, provided that the domain part of the e-mail address is within the Enteprise RA's verified Domain Namespace. I tried a couple variations of this (e.g. MAY delegate), but that could be read as a loophole of allowing other forms of local-part delegation (i.e. the "MAY" reads as "MAY use an Enterprise RA, or MAY use whatever else you want", instead of "MAY" only if Enterprise RA) _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy