[Smcwg-public] [External Sender] Re: CAA for S/MIME

Adriano Santoni adriano.santoni at staff.aruba.it
Thu Dec 14 14:05:42 UTC 2023 

I agree with Bruce.

Adriano


Il 14/12/2023 14:56, Bruce Morton via Smcwg-public ha scritto:
> NOTICE: Pay attention - external email - Sender is 
> 0100018c689d7d14-2e0d295e-4952-4049-bdc3-84d310911b4b-000000 at amazonses.com 
>
>
>
>
> I wondering about this requirement, “CAA checking is optional for 
> Certificates issued by a Technically Constrained Subordinate CA 
> Certificate as set out in [Section 7.1.5](_#715-name-constraints_), 
> where the lack of CAA checking is an explicit contractual provision in 
> the contract with the Applicant.”
>
> I understand this came from the TLS BRs. My assumption is a 
> Technically Constrained Subordinate CA only issues certificates for 
> domains which are in control by the Organization that operates the CA. 
> For S/MIME the Applicants are employees or other people/entities which 
> the Organization has approved can get an S/MIME certificate with their 
> domain name. So what purpose is having an “explicit contractual 
> position in the contract with the Applicant” to not check CAA? I guess 
> this could be accomplished by adding to an internal subscription 
> agreement, but does this provide an value?
>
> Could the requirements just be ““CAA checking is optional for 
> Certificates issued by a Technically Constrained Subordinate CA 
> Certificate as set out in [Section 7.1.5](_#715-name-constraints_).”
>
> Thanks, Bruce.
>
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org> *On Behalf 
> Of* Stephen Davidson via Smcwg-public
> *Sent:* Wednesday, December 6, 2023 1:00 PM
> *To:* smcwg-public at cabforum.org
> *Subject:* [EXTERNAL] [Smcwg-public] CAA for S/MIME
>
> Hello:
>
> Here is an updated diff for the CAA text following our discussions today:
>
> -As suggested by Cade, to add the TTL/8hr reference consistent with 
> the TLS BR.
>
> -To add the implementation dates in 2.2 and 4.2
>
> https://github.com/srdavidson/smime/compare/241e92cde85c25d7e0d4a5c70118ecadacd4d72b...43228a41a5cc99a3301c4066621787cde7e0f79a
>
> The plan will be to move this to ballot at the start of 2024, so I 
> encourage CAs to engage with operations teams and/or software vendors 
> on the suitability of the implementation dates.
>
> Best regards, Stephen
>
> /Any email and files/attachments transmitted with it are intended 
> solely for the use of the individual or entity to whom they are 
> addressed. If this message has been sent to you in error, you must not 
> copy, distribute or disclose of the information it contains. _Please 
> notify Entrust immediately and delete the message from your system._/
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20231214/9dc2f3cb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20231214/9dc2f3cb/attachment-0001.p7s>

More information about the Smcwg-public mailing list