[Smcwg-public] [External Sender] Re: CAA for S/MIME
Adriano Santoni
adriano.santoni at staff.aruba.it
Thu Dec 14 14:05:42 UTC 2023
I agree with Bruce.
Adriano
Il 14/12/2023 14:56, Bruce Morton via Smcwg-public ha scritto:
> NOTICE: Pay attention - external email - Sender is
> 0100018c689d7d14-2e0d295e-4952-4049-bdc3-84d310911b4b-000000 at amazonses.com
>
>
>
>
> I wondering about this requirement, “CAA checking is optional for
> Certificates issued by a Technically Constrained Subordinate CA
> Certificate as set out in [Section 7.1.5](_#715-name-constraints_),
> where the lack of CAA checking is an explicit contractual provision in
> the contract with the Applicant.”
>
> I understand this came from the TLS BRs. My assumption is a
> Technically Constrained Subordinate CA only issues certificates for
> domains which are in control by the Organization that operates the CA.
> For S/MIME the Applicants are employees or other people/entities which
> the Organization has approved can get an S/MIME certificate with their
> domain name. So what purpose is having an “explicit contractual
> position in the contract with the Applicant” to not check CAA? I guess
> this could be accomplished by adding to an internal subscription
> agreement, but does this provide an value?
>
> Could the requirements just be ““CAA checking is optional for
> Certificates issued by a Technically Constrained Subordinate CA
> Certificate as set out in [Section 7.1.5](_#715-name-constraints_).”
>
> Thanks, Bruce.
>
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org> *On Behalf
> Of* Stephen Davidson via Smcwg-public
> *Sent:* Wednesday, December 6, 2023 1:00 PM
> *To:* smcwg-public at cabforum.org
> *Subject:* [EXTERNAL] [Smcwg-public] CAA for S/MIME
>
> Hello:
>
> Here is an updated diff for the CAA text following our discussions today:
>
> -As suggested by Cade, to add the TTL/8hr reference consistent with
> the TLS BR.
>
> -To add the implementation dates in 2.2 and 4.2
>
> https://github.com/srdavidson/smime/compare/241e92cde85c25d7e0d4a5c70118ecadacd4d72b...43228a41a5cc99a3301c4066621787cde7e0f79a
>
> The plan will be to move this to ballot at the start of 2024, so I
> encourage CAs to engage with operations teams and/or software vendors
> on the suitability of the implementation dates.
>
> Best regards, Stephen
>
> /Any email and files/attachments transmitted with it are intended
> solely for the use of the individual or entity to whom they are
> addressed. If this message has been sent to you in error, you must not
> copy, distribute or disclose of the information it contains. _Please
> notify Entrust immediately and delete the message from your system._/
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20231214/9dc2f3cb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20231214/9dc2f3cb/attachment-0001.p7s>
More information about the Smcwg-public
mailing list