On Mon, Oct 21, 2019 at 7:58 PM Wayne Thayer <wtha...@mozilla.com> wrote:
> The CA MUST verify all e-mail addresses using a process that is >> substantially similar to the process used to verify domain names, as >> described in the Baseline Requirements. >> > > This seems problematic because it could be interpreted as forbidding an > email challenge-response validation, not to mention that "substantially" > leaves a lot of room for interpretation. > Yeah, this was more about short-hand matching the existing 2.2 requirements for validation, which leave "reasonable measures" as the validation requirement (i.e. even more room for interpretation ;D) > The CA SHALL NOT delegate validation of the domain part of an e-mail >> address. >> > > This is > https://github.com/mozilla/pkipolicy/commit/85ae5a1b37ca8e5138d56296963195c3c7dec85a > Sounds good. This was your proposed response to solving this issue back on May 13, so it's full circle :) > > The CA SHALL NOT delegate validation of the local part of an e-mail address >> except when delegating to an Enteprise RA, provided that the domain part >> of >> the e-mail address is within the Enteprise RA's verified Domain Namespace. >> >> > This seems to go beyond the original intent of this issue and the > discussion to-date, and Enterprise RAs are not defined in the context of > S/MIME certificates. Why is the existing language in section 2.2(2) > insufficient to cover this requirement? > Your original proposal seemed to entirely do away with this ("Delegating this function to 3rd parties is not permitted."). I was trying to capture the subset for the use case folks identified (including my initial reply to your proposal, back on May 13), while still being more prescriptive. The issue/concern would be a CA reads that they shall not delegate the domain portion, but don't realize it /also/ means they can't delegate 'total' validation, since the full e-mail also contains a domain part. i.e. that I can't delegate validating sleevi.example, but I can totally delegate validating ryan@sleevi.example since that's not delegating "just" a domain part, but delegating validation a "total" email. It's contrived, I agree, but it was trying to match your original, much more restrictive language, of not allowing any delegation of e-mail. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
