Thanks Jeremy, Dimitris,

It does help clarify. I think we're all on the same page: namely, in all
cases, the CA does the validation of (at minimum) the domain portion.

I think it might be useful to think of this like the split between
Authorization Domain Name and Fully Qualified Domain Name. A CA isn't
/required/ to only use the ADN, they could validate just the FQDN and
always at the FQDN level. But, in both cases, they have to at least
validate (a portion of) the domain name.

For S/MIME, the idea here is:
- If the CA had validated the domain portion, they could delegate the
validation of the local part to the RA. This is the same as the concept of
Enterprise RA, which allows the RA to handle the O/OU and other attributes,
as long as the CA validated the domain.
- Alternatively, the CA could validate the entire e-mail address (e.g.
using a random value)

But in both cases, the CA is involved in any domain-part validation.

Perhaps said differently:
The CA MUST verify all e-mail addresses using a process that is
substantially similar to the process used to verify domain names, as
described in the Baseline Requirements.
The CA SHALL NOT delegate validation of the domain part of an e-mail
The CA SHALL NOT delegate validation of the local part of an e-mail address
except when delegating to an Enteprise RA, provided that the domain part of
the e-mail address is within the Enteprise RA's verified Domain Namespace.

I tried a couple variations of this (e.g. MAY delegate), but that could be
read as a loophole of allowing other forms of local-part delegation (i.e.
the "MAY" reads as "MAY use an Enterprise RA, or MAY use whatever else you
want", instead of "MAY" only if Enterprise RA)
dev-security-policy mailing list

Reply via email to