On Tue, Oct 22, 2019 at 10:59 AM Buschart, Rufus via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > > Sounds good. This was your proposed response to solving this issue > > > back on May 13, so it's full circle :) > > > > > > > > > I'm going to consider this issue resolved unless there are further > > > comments. > > > > Just checking whether the following is acceptable. > > > > If a CA validates the domain mycompany.example being owned/controlled by > "mycompany", can this company delegate the issuance of > > S/MIME certificates for subsection1.mycompany.example to an internal > department or a subsidiary? Does the proposed language allow > > this? > > I'm also not sure if I understand the wording correctly. Let's assume, an > internal CA of company "mycompany" gets successfully validated for > mycompany.example and receives a (possibly name constrained) certificate > for its issuing CA from one of the root CAs. Can this internal CA issue > certificates for every email address under @mycompany.example without > further validation or is an internal validation process required? My > opinion is, that such an internal validation process doesn't increase > security, since mycompany controls the mailservers of mycompany and can > anyhow validate everything. > > Thanks Dimitris and Rufus. Would it satisfy your concern if the requirement was changed to: The CA SHALL NOT delegate validation of the Base Domain Name (as defined in the Baseline Requirements) portion of an email address. Alternately, would this create an unacceptable loophole in the requirement and if so, can you suggest a more secure alternative? By the way: How are CAA records to be treated in the scope of S/MIME? Since > gmail.com has a CAA record that prevents every CA except of Google to > issue certificates for gmail.com, does this also forbid every CA to issue > certificates for rufus.busch...@gmail.com? > > I'm not aware of any current policy that requires CAs to perform CAA checks on S/MIME certificates. With best regards, > Rufus Buschart > > Siemens AG > Siemens Operations > Information Technology > Value Center Core Services > SOP IT IN COR > Freyeslebenstr. 1 > 91058 Erlangen, Germany > Tel.: +49 1522 2894134 > mailto:rufus.busch...@siemens.com > www.twitter.com/siemens > > www.siemens.com/ingenuityforlife > > Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim > Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief > Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, > Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and > Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, > Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
