On Mon, Oct 21, 2019 at 7:01 PM Ryan Sleevi <r...@sleevi.com> wrote: > > On Mon, Oct 21, 2019 at 7:58 PM Wayne Thayer <wtha...@mozilla.com> wrote: > >> The CA MUST verify all e-mail addresses using a process that is >>> substantially similar to the process used to verify domain names, as >>> described in the Baseline Requirements. >>> >> >> This seems problematic because it could be interpreted as forbidding an >> email challenge-response validation, not to mention that "substantially" >> leaves a lot of room for interpretation. >> > > Yeah, this was more about short-hand matching the existing 2.2 > requirements for validation, which leave "reasonable measures" as the > validation requirement (i.e. even more room for interpretation ;D) > > >> The CA SHALL NOT delegate validation of the domain part of an e-mail >>> address. >>> >> >> This is >> https://github.com/mozilla/pkipolicy/commit/85ae5a1b37ca8e5138d56296963195c3c7dec85a >> > > Sounds good. This was your proposed response to solving this issue back on > May 13, so it's full circle :) > >
I'm going to consider this issue resolved unless there are further comments. >> The CA SHALL NOT delegate validation of the local part of an e-mail >>> address >>> except when delegating to an Enteprise RA, provided that the domain part >>> of >>> the e-mail address is within the Enteprise RA's verified Domain >>> Namespace. >>> >>> >> This seems to go beyond the original intent of this issue and the >> discussion to-date, and Enterprise RAs are not defined in the context of >> S/MIME certificates. Why is the existing language in section 2.2(2) >> insufficient to cover this requirement? >> > > Your original proposal seemed to entirely do away with this ("Delegating > this function to 3rd parties is not permitted."). I was trying to capture > the subset for the use case folks identified (including my initial reply to > your proposal, back on May 13), while still being more prescriptive. > > The issue/concern would be a CA reads that they shall not delegate the > domain portion, but don't realize it /also/ means they can't delegate > 'total' validation, since the full e-mail also contains a domain part. i.e. > that I can't delegate validating sleevi.example, but I can totally delegate > validating ryan@sleevi.example since that's not delegating "just" a > domain part, but delegating validation a "total" email. > > It's contrived, I agree, but it was trying to match your original, much > more restrictive language, of not allowing any delegation of e-mail. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy