On Thu, Oct 24, 2019 at 10:33 AM Buschart, Rufus <rufus.busch...@siemens.com> wrote:
> On Tue, Oct 22, 2019 at 4:23 PM Ryan Sleevi <mailto:r...@sleevi.com> > wrote: > > On Tue, Oct 22, 2019 at 6:31 PM Wayne Thayer via dev-security-policy > <mailto:dev-security-policy@lists.mozilla.org> wrote: > >> Thanks Dimitris and Rufus. Would it satisfy your concern if the > requirement > >> was changed to: > >> > >> The CA SHALL NOT delegate validation of the Base Domain Name (as > defined in > >> the Baseline Requirements) portion of an email address. > > Thanks Wayne, I like the new wording. > > > If the CA has validated "mycompany.example", associated with account > "mycompany", what is the expectation for 'localpart'? > > > > Interpretation 1) The CA MAY delegate validation of the localpart to > 'mycompany'. However, 'mycompany' MUST take reasonable measure ... > > Interpretation 2) By validating 'mycompany' as to have control over > 'mycompany.example', the CA has taken reasonable measure. No further > validation requirements > > exist for the localpart, provided it is directed by the 'mycompany' > account, as 'mycompany' is seen to implicitly have control over the MX > records. > > > > I'm not sure Interpretation #2 fully holds (e.g. if the CA were using > something like 3.2.2.4.6 or a non-DNS-based challenge), but I think it was > trying to get at whether > > (CA || mycompany) needs to perform some validation step for 'localpart' > once the validation for the domain part is done. > > I simply want to avoid to come into the situation, that I as the operator > of an internal Enterprise PKI have to do some additional email validation > on our own mailboxes. We do have 350 k users, if the validation process > fails only at 1% of them, we have 3500 help desk tickets. > > One last remark: I might be the only one, but I'm not 100% sure what the > "this verification" at the end of the last sentence refers to. Is "this > verification" (a) the verification of the Authorization Domain Name, (b) > the verification of the email address or (c) both together? If it is (b), > as I believe, I would move the whole sentence, starting from "The CA's > CP/CPS...", after the first sentence (ending with "the account holder's > behalf"). > > I would argue that (a) is a subset of (b) and there is no difference between (b) and (c), but the intent is (c). If a CA issues both TLS and S/MIME certificates, their CPS could simply state that the domain component is validated using the same methods as used for TLS. For a CA that only issues S/MIME certificates, I want to see the methods used to validate the domain part documented - especially given that they aren't subject to the BRs - along with the methods used to validate the local part or the entire address. Would changing "this" to "email address" but leaving that sentence after the domain part requirements make it clear? That would read: "The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform email address verification." - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
