The Mozilla policy section 2.2 says: * . the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate.
Since the Mozilla policy only applies to certificates with the EKU of Secure Mail (ignoring TLS in this discussion), it would seem to imply that only email addresses that could be used for sending or receiving signed or encrypted emails would be in scope. It's not against Mozilla policy to issue certificates with unvalidated email addresses in any field as long as the Secure Mail EKU is not included, so the intent should be to validate only those that are used for Secure Mail. As far as I know, the only fields that could be used by S/MIME applications are the CN, Email, and RFC822 SAN fields. We should clarify the Mozilla policy to more clearly define list of fields containing email address (those 3 listed above) must be validated in section 2.2 so that this is clear and concise. Wayne opened this issue in December and I just replied with a comment related to the validation requirements of SAN/Other Name/UPN: https://github.com/mozilla/pkipolicy/issues/200
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
