Von: Wayne Thayer <wtha...@mozilla.com>
On Thu, Oct 24, 2019 at 10:33 AM Buschart, Rufus 
<mailto:rufus.busch...@siemens.com> wrote:
>> One last remark: I might be the only one, but I'm not 100% sure what the 
>> "this verification" at the end of the last sentence refers to.
>> Is "this verification" (a) the verification of the Authorization Domain 
>> Name, (b) the verification of the email address or (c) both together?
>> If it is (b), as I believe, I would move the whole sentence, starting from 
>> "The CA's CP/CPS...", after the first sentence (ending with "the
>> account holder's behalf").
> I would argue that (a) is a subset of (b) and there is no difference between 
> (b) and (c), but the intent is (c).

Your statement is, in my opinion, totally correct for external CAs. But the 
scenario I have in my mind is a little bit different: In my scenario, there is
a Root CA that is included in the Root stores serving the general public and an 
internal issuing CA only serving "mycompany". In this scenario, Root
CA issues a name-constrained S/MIME-issuing CA certificate to the internal CA 
of "mycompany" after this CA has proven control over the DNS records for
"mycompany.example". This proof of control should be based on the methods from 
BRG (taking Ryans remark about the problems of http-
validation for this scenario into account). The internal CA issues only S/MIME 
end-entity-certificates for mailboxes under @mycompany.example.
Now we have (a) and (b) as totally separated sets of verifications. In this 
scenario, I would expect, that the root CA describes (a) and the internal
issuing CA describes (b) in their CP/CPS.

> If a CA issues both TLS and
> S/MIME certificates, their CPS could simply state that the domain component 
> is validated using the same methods as used for TLS. For a
> CA that only issues S/MIME certificates, I want to see the methods used to 
> validate the domain part documented - especially given that
> they aren't subject to the BRs - along with the methods used to validate the 
> local part or the entire address.
> Would changing "this" to "email address" but leaving that sentence after the 
> domain part requirements make it clear? That would read:
> "The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to 
> perform email address verification."

If you think, that the scenario described above is covered by the proposed 
sentence I'd happy with it, but I'm not totally sure if it is covered.

And while writing this email, I think I found one more problem: You are using 
the term "email account holder" which isn't defined anywhere. Who
is the "email account holder" for john.doe@mycompany.example? Is it John Doe or 
is it "mycompany"? And in the case of
john.doe@public-mail-provider.example? Is it John Doe or the "public mail 
provider"? I think we need a definition, ideally based on the terms
"Subject" and "Subscriber". Or we replace "email account holder" with one of 
the two terms?


Siemens AG
Siemens Operations
Information Technology
Value Center Core Services
Freyeslebenstr. 1
91058 Erlangen, Germany
Tel.: +49 1522 2894134

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann 
Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive 
Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, 
Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; 
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; 
WEEE-Reg.-No. DE 23691322
dev-security-policy mailing list

Reply via email to