Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

I've opened issue #196 [1] to track Rufus' suggested clarification for a future policy update. I'll consider this issue (#175) resolved unless further comments are received. - Wayne [1] https://github.com/mozilla/pkipolicy/issues/196 On Mon, Oct 28, 2019 at 4:41 PM Wayne Thayer wrote: > On

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Sun, Oct 27, 2019 at 3:46 PM Buschart, Rufus wrote: > Maybe the following could be a reasonable rewording of the paragraph that > makes the intention of the discussion clear, but isn't to 'clunky': > > For a certificate capable of being used for digitally signing or > encrypting email

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Fri, Oct 25, 2019 at 6:44 PM Buschart, Rufus wrote: > Your statement is, in my opinion, totally correct for external CAs. But > the scenario I have in my mind is a little bit different: In my scenario, > there is > a Root CA that is included in the Root stores serving the general public > and

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Thu, Oct 24, 2019 at 10:33 AM Buschart, Rufus wrote: > On Tue, Oct 22, 2019 at 4:23 PM Ryan Sleevi > wrote: > > On Tue, Oct 22, 2019 at 6:31 PM Wayne Thayer via dev-security-policy > wrote: > >> Thanks Dimitris and Rufus.

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Tue, Oct 22, 2019 at 4:23 PM Ryan Sleevi wrote: > > On Tue, Oct 22, 2019 at 6:31 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> > I'm also not sure if I understand the wording correctly. Let's assume, >> an >> > internal CA of company

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Tue, Oct 22, 2019 at 6:31 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I'm also not sure if I understand the wording correctly. Let's assume, an > > internal CA of company "mycompany" gets successfully validated for > > mycompany.example and

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Tue, Oct 22, 2019 at 10:59 AM Buschart, Rufus via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > Sounds good. This was your proposed response to solving this issue > > > back on May 13, so it's full circle :) > > > > > > > > > I'm going to consider this issue

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On 2019-10-22 7:28 μ.μ., Wayne Thayer wrote: The CA SHALL NOT delegate validation of the domain part of an e-mail address. This is https://github.com/mozilla/pkipolicy/commit/85ae5a1b37ca8e5138d56296963195c3c7dec85a Sounds good.

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Mon, Oct 21, 2019 at 7:01 PM Ryan Sleevi wrote: > > On Mon, Oct 21, 2019 at 7:58 PM Wayne Thayer wrote: > >> The CA MUST verify all e-mail addresses using a process that is >>> substantially similar to the process used to verify domain names, as >>> described in the Baseline Requirements.

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Mon, Oct 21, 2019 at 7:58 PM Wayne Thayer wrote: > The CA MUST verify all e-mail addresses using a process that is >> substantially similar to the process used to verify domain names, as >> described in the Baseline Requirements. >> > > This seems problematic because it could be interpreted

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Sat, Oct 5, 2019 at 6:32 AM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Thanks Jeremy, Dimitris, > > It does help clarify. I think we're all on the same page: namely, in all > cases, the CA does the validation of (at minimum) the domain portion. > > I

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

Thanks Jeremy, Dimitris, It does help clarify. I think we're all on the same page: namely, in all cases, the CA does the validation of (at minimum) the domain portion. I think it might be useful to think of this like the split between Authorization Domain Name and Fully Qualified Domain Name. A

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

From: Ryan Sleevi Sent: Friday, October 4, 2019 10:56 PM To: Jeremy Rowley Cc: Kathleen Wilson ; Wayne Thayer ; mozilla-dev-security-policy Subject: Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates Jeremy: Could you describe a bit more who the actors

RE: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

, 2019 10:56 PM To: Jeremy Rowley Cc: Kathleen Wilson ; Wayne Thayer ; mozilla-dev-security-policy Subject: Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates Jeremy: Could you describe a bit more who the actors are? Basically, it seems that the actual issuance

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

in the BRs. > > -Original Message- > From: dev-security-policy > On Behalf Of Wayne Thayer via dev-security-policy > Sent: Friday, October 4, 2019 2:38 PM > To: Kathleen Wilson > Cc: mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.o

RE: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Behalf Of Wayne Thayer via dev-security-policy Sent: Friday, October 4, 2019 2:38 PM To: Kathleen Wilson Cc: mozilla-dev-security-policy Subject: Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates I'd like to revive this discussion. So far we've

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Fri, Oct 4, 2019 at 4:37 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > One thing that might help to resolve this is a more detailed description of > the weaknesses that are present in the process described by Ryan Hurst. If > we can all agree that

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

I'd like to revive this discussion. So far we've established that the existing "required practice" [1] is too stringent for email address validation and needs to be changed. We can do that by removing email addresses from the scope of the requirement as Kathleen proposed, or by exempting the local

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On 5/13/19 10:24 AM, Wayne Thayer wrote: The BRs forbid delegation of domain and IP address validation to third parties. However, the BRs don't forbid delegation of email address validation nor do they apply to S/MIME certificates. Delegation of email address validation is already addressed by

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Wed, May 15, 2019 at 2:10 PM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Thanks. I think this is desirable to forbid, as it is insecure, and I > > believe it's already forbidden, because the process of step (4) is > relying > > on GMAIL to act as a

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Wednesday, May 15, 2019 at 10:36:00 AM UTC-7, Ryan Sleevi wrote: > On Wed, May 15, 2019 at 1:18 PM Ryan Hurst via dev-security-policy < \> > Specifically where Wayne suggested: > > "CAs MUST NOT delegate validation of the domain name part of an email > > address to a 3rd party." > > > > Are you

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Wed, May 15, 2019 at 1:18 PM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > I think this bears expansion because I don't think it's been clearly > > documented what flow you believe is currently permitted today that will > be > > prevented tomorrow

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

> I think this bears expansion because I don't think it's been clearly > documented what flow you believe is currently permitted today that will be > prevented tomorrow with this change. To be clear, In that statement was referring to that scenario being allowed under the proposed change

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Wed, May 15, 2019 at 11:52 AM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I believe the case where Google requests a certificate from the CA is > accommodated but not the case where SAAS requests a certificate from the CA > based on the authentication

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

> I must admit, I'm confused. Based on your concerns as I understand them, > either the scenario you're describing is already prohibited today (and thus > no change from existing policy), or its already permitted today and would > continue to be permitted with this change. I'm hoping you can

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Wed, May 15, 2019 at 9:28 AM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Pedro, > > That scenario is addressed by Wayne proposed change. > > That same change does not allow for applications that use GMail or there > federated authentication providers to

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

Pedro, That scenario is addressed by Wayne proposed change. That same change does not allow for applications that use GMail or there federated authentication providers to use client certificates without sending each user to the CA. Ryan ___

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

I have the feeling that this going to something over-complicated... Let's think in a simple case, which is, I think, the most common scenario where there's some delegation: 1. A company needs MPKI service for its employees, who use email addresses in one or more domains owned by the company 2.

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

> Does replacing the existing "require practice" language by adding the > following sentence to the Root Store Policy achieve the clarity you're > seeking and avoid the problems you've pointed out? > > "CAs MUST NOT delegate validation of the domain name part of an email > address to a 3rd

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Mon, May 13, 2019 at 9:13 PM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Though it seems the thread has largely expressed my concerns I do want to > chime in and stress that I believe that it is important that this text gets > clarified. > > Does

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Monday, May 13, 2019 at 10:25:18 AM UTC-7, Wayne Thayer wrote: > The BRs forbid delegation of domain and IP address validation to third > parties. However, the BRs don't forbid delegation of email address > validation nor do they apply to S/MIME certificates. > > Delegation of email address

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Mon, May 13, 2019 at 2:09 PM Pedro Fuentes via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Piggybacking to Ryan's message and putting into my mundane words, I'd say > that is reasonable to say that a CA must not delegate the validation of > what is after the @ in the

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

Piggybacking to Ryan's message and putting into my mundane words, I'd say that is reasonable to say that a CA must not delegate the validation of what is after the @ in the email address, but I think it's totally admissible to let the domain owner (and typically email service provider) to

RE: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

Hello Wayne: The current wording in section 2.2 "Validation Practices" of the Mozilla Root Store Policy says: 2. For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

On Mon, May 13, 2019 at 1:25 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The BRs forbid delegation of domain and IP address validation to third > parties. However, the BRs don't forbid delegation of email address > validation nor do they apply to