
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Hi Stephen.</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

I agree that the "sso-01" method proposed in <a href="https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-5">https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-5</a> is not currently suitable for validating a publicly-trusted S/MIME certificate. 

 Furthermore, I don't think anyone intends that it should be used for this purpose.  AIUI, the leaf certificates envisaged by draft-biggs-acme-sso are not intended to be used for S/MIME at all.</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<a href="https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6">https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6</a> is interesting to this group because it also defines "smime-01", with reference to <a href="https://tools.ietf.org/html/draft-ietf-acme-email-smime-13">https://tools.ietf.org/html/draft-ietf-acme-email-smime-13</a>.<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

TBH, I think it would make sense to split out Section 6 (CAA for Email Address Certificates) into a separate I-D.</div>

<div>

<div id="appendonsend"></div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Stephen Davidson <Stephen.Davidson@digicert.com><br>

<b>Sent:</b> 02 February 2021 22:10<br>

<b>To:</b> Stephen Davidson <Stephen.Davidson@digicert.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org>; Rob Stradling <rob@sectigo.com>; Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>; Tim Hollebeek <tim.hollebeek@digicert.com>;

 Neil Dunbar <ndunbar@trustcorsystems.com>; Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr><br>

<b>Cc:</b> Kirk Hall <Kirk.Hall@entrust.com><br>

<b>Subject:</b> RE: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME</font>

<div> </div>

</div>

<div lang="EN-US" style="word-wrap:break-word">

<p></p>

<div style="background-color:#FAFA03; width:100%; border-style:solid; border-color:#000000; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">

<span style="color:000000">CAUTION:</span> This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</div>

<br>

<p></p>

<div>

<div class="x_WordSection1">

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif">Mozilla policy section 2.2 states:</span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;margin-left:.5in">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif">For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email

 account associated with the email address referenced in the certificate <u>or has been authorized by the email account holder to act on the account holder’s behalf. The CA SHALL NOT delegate validation of the domain portion of an email address.</u> The CA

 MAY rely on validation the CA has performed for an Authorization Domain Name (as specified in the Baseline Requirements) as being valid for subdomains of that Authorization Domain Name. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs

 to perform this verification.</span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif">One could argue that the use of CAA described in draft-biggs-acme

</span><span style="font-size:11.0pt; font-family:"Calibri",sans-serif">authorizes an SSO to act on an account holder’s behalf … but it is less clear if it fulfils the CA’s obligation to validate control of the domain portion.  CAA as described here is not

 a method allowed under section 3.2.2.4 of the TLS BR so if this method was desired, we’d have to define suitable provision in the SMIME BR and also seek Mozilla’s acceptance.</span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<b><span style="font-size:11.0pt; font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> Smcwg-public <smcwg-public-bounces@cabforum.org>

<b>On Behalf Of </b>Stephen Davidson via Smcwg-public<br>

<b>Sent:</b> Monday, February 1, 2021 6:58 PM<br>

<b>To:</b> Rob Stradling <rob@sectigo.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org>; Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>; Tim Hollebeek <tim.hollebeek@digicert.com>; Neil Dunbar <ndunbar@trustcorsystems.com>; Dimitris

 Zacharopoulos (HARICA) <dzacharo@harica.gr><br>

<b>Cc:</b> Kirk Hall <Kirk.Hall@entrust.com><br>

<b>Subject:</b> Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME</span></p>

</div>

</div>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

 </p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif">Thanks for raising this Rob as it will come up in some detail later in our discussions relating to control of an email address.</span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-biggs-acme-sso-00%23section-6&data=04%7C01%7Crob%40sectigo.com%7C66977f966d8347fd431c08d8c7c76cbd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637479006640604963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=O76Bq%2FiItsAirOQe5srr2a3CULpkw4WvLGd3NUnV9Ck%3D&reserved=0" originalsrc="https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6" shash="LWyL0Zs+Wg1m3k+y8GKXjbfyYMU63E67pqNQi/58BTBKIKB2SRCdR7+swoCNMMXDIyz6cAsL95Nc3MOCObKH1RdLZMeYQJ4R+sDO0OiSP8oK4hUq59C+jRQJn/fWSrW0XjoDN9B7yqE3DexWVZv5UANYhV+Py90UActlT0GmXPE=">https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6</a>

 ACME Extension for Single Sign On Challenges</span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif">Note that this not only defines an issueemail property for CAA, but also a validationmethods parameter which is squarely within the interest of this WG.  Options defined in the RFC include an

 SSO option (including the ability to specify SSOproviders) as well as email verification (see other doc at

<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fid%2Fdraft-ietf-acme-email-smime-13.txt&data=04%7C01%7Crob%40sectigo.com%7C66977f966d8347fd431c08d8c7c76cbd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637479006640614920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AY08nJrMJe1%2FfgA50X0Jn2dDqPi9lYpHYQKX9ptZGNc%3D&reserved=0" originalsrc="https://www.ietf.org/id/draft-ietf-acme-email-smime-13.txt" shash="Z8dM1VuxAH9adajAxjM+zzGl3IvNDSNgD+xkvd2vb1rv/5Nt1MWCtMLI9Ldo76K9Ou6R3PfA/4OpNUEc2pdaQ8eJTX13hisqrc4A2XXxtKn6o+eh8h/RByaKp3pVzrl8fmQzGlFPCbeboe6Qie9gahU0dO39ftjhITXF91gXTWY=">

https://www.ietf.org/id/draft-ietf-acme-email-smime-13.txt</a> Extensions to ACME</span>

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif">for end-user S/MIME certificates) mentioned previously.</span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif">Regards, Stephen</span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> </span></p>

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<b><span style="font-size:11.0pt; font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>>

<b>On Behalf Of </b>Rob Stradling via Smcwg-public<br>

<b>Sent:</b> Monday, February 1, 2021 6:41 PM<br>

<b>To:</b> Paul van Brouwershaven <<a href="mailto:Paul.vanBrouwershaven@entrust.com">Paul.vanBrouwershaven@entrust.com</a>>; SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>;

 Neil Dunbar <<a href="mailto:ndunbar@trustcorsystems.com">ndunbar@trustcorsystems.com</a>>; Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>><br>

<b>Cc:</b> Kirk Hall <<a href="mailto:Kirk.Hall@entrust.com">Kirk.Hall@entrust.com</a>><br>

<b>Subject:</b> Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME</span></p>

</div>

</div>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

 </p>

<div>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

<span style="font-family:"Calibri",sans-serif; color:black">FYI, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-biggs-acme-sso-00%23section-6&data=04%7C01%7Crob%40sectigo.com%7C66977f966d8347fd431c08d8c7c76cbd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637479006640614920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YMcGZs3XRqV5FLmlHpgMorgoxbPBeo26tc8lYcgS6co%3D&reserved=0" originalsrc="https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6" shash="BmeZv3oplrM9MF7uRS04qJLM494RMpHgRhRLzHddAQGmzpO/equFvAUfP6LT2NHqT0O74arXtbKjmBaJXylPwir7N1lISJ1V7yaNt+wrp+n90G/yauiDgsKkisvLB0j/NTB65hQrBdhpkbi56C9KPMbZ/5MYTWIuDKBIjtPZiGI=">https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6</a> seeks

 to "extend CAA to allow control over issuance of certificates for email addresses within that domain".</span></p>

</div>

<div>

<div>

<div>

<p class="x_MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Times New Roman", serif;">

 </p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</body>

</html>