<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Mozilla policy section 2.2 states:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate <u>or has been authorized by the email account holder to act on the account holder’s behalf. The CA SHALL NOT delegate validation of the domain portion of an email address.</u> The CA MAY rely on validation the CA has performed for an Authorization Domain Name (as specified in the Baseline Requirements) as being valid for subdomains of that Authorization Domain Name. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>One could argue that the use of CAA described in draft-biggs-acme </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>authorizes an SSO to act on an account holder’s behalf … but it is less clear if it fulfils the CA’s obligation to validate control of the domain portion. CAA as described here is not a method allowed under section 3.2.2.4 of the TLS BR so if this method was desired, we’d have to define suitable provision in the SMIME BR and also seek Mozilla’s acceptance.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Smcwg-public <smcwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Stephen Davidson via Smcwg-public<br><b>Sent:</b> Monday, February 1, 2021 6:58 PM<br><b>To:</b> Rob Stradling <rob@sectigo.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org>; Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>; Tim Hollebeek <tim.hollebeek@digicert.com>; Neil Dunbar <ndunbar@trustcorsystems.com>; Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr><br><b>Cc:</b> Kirk Hall <Kirk.Hall@entrust.com><br><b>Subject:</b> Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Thanks for raising this Rob as it will come up in some detail later in our discussions relating to control of an email address.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><a href="https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6">https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6</a> ACME Extension for Single Sign On Challenges<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Note that this not only defines an issueemail property for CAA, but also a validationmethods parameter which is squarely within the interest of this WG. Options defined in the RFC include an SSO option (including the ability to specify SSOproviders) as well as email verification (see other doc at <a href="https://www.ietf.org/id/draft-ietf-acme-email-smime-13.txt">https://www.ietf.org/id/draft-ietf-acme-email-smime-13.txt</a> Extensions to ACME</span> <span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>for end-user S/MIME certificates) mentioned previously.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Regards, Stephen<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Rob Stradling via Smcwg-public<br><b>Sent:</b> Monday, February 1, 2021 6:41 PM<br><b>To:</b> Paul van Brouwershaven <<a href="mailto:Paul.vanBrouwershaven@entrust.com">Paul.vanBrouwershaven@entrust.com</a>>; SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>; Neil Dunbar <<a href="mailto:ndunbar@trustcorsystems.com">ndunbar@trustcorsystems.com</a>>; Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>><br><b>Cc:</b> Kirk Hall <<a href="mailto:Kirk.Hall@entrust.com">Kirk.Hall@entrust.com</a>><br><b>Subject:</b> Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:black'>FYI, <a href="https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6">https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6</a> seeks to "extend CAA to allow control over issuance of certificates for email addresses within that domain".<o:p></o:p></span></p></div><div><div><div><p class=MsoNormal><o:p> </o:p></p></div></div></div></div></body></html>