<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>I agree that CAA for Email should have its own draft, instead of being part of a larger document with a different purpose.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Rob Stradling <rob@sectigo.com> <br><b>Sent:</b> Wednesday, February 3, 2021 5:56 AM<br><b>To:</b> Stephen Davidson <Stephen.Davidson@digicert.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org>; Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>; Tim Hollebeek <tim.hollebeek@digicert.com>; Neil Dunbar <ndunbar@trustcorsystems.com>; Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr><br><b>Cc:</b> Kirk Hall <Kirk.Hall@entrust.com><br><b>Subject:</b> Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'>Hi Stephen.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'>I agree that the "sso-01" method proposed in <a href="https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-5">https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-5</a> is not currently suitable for validating a publicly-trusted S/MIME certificate. Furthermore, I don't think anyone intends that it should be used for this purpose. AIUI, the leaf certificates envisaged by draft-biggs-acme-sso are not intended to be used for S/MIME at all.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'><a href="https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6">https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6</a> is interesting to this group because it also defines "smime-01", with reference to <a href="https://tools.ietf.org/html/draft-ietf-acme-email-smime-13">https://tools.ietf.org/html/draft-ietf-acme-email-smime-13</a>.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'>TBH, I think it would make sense to split out Section 6 (CAA for Email Address Certificates) into a separate I-D.<o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></p></div><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="98%" align=center></div><div id=divRplyFwdMsg><p class=MsoNormal><b><span style='color:black'>From:</span></b><span style='color:black'> Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>><br><b>Sent:</b> 02 February 2021 22:10<br><b>To:</b> Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>>; SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>>; Rob Stradling <<a href="mailto:rob@sectigo.com">rob@sectigo.com</a>>; Paul van Brouwershaven <<a href="mailto:Paul.vanBrouwershaven@entrust.com">Paul.vanBrouwershaven@entrust.com</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>; Neil Dunbar <<a href="mailto:ndunbar@trustcorsystems.com">ndunbar@trustcorsystems.com</a>>; Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>><br><b>Cc:</b> Kirk Hall <<a href="mailto:Kirk.Hall@entrust.com">Kirk.Hall@entrust.com</a>><br><b>Subject:</b> RE: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME</span> <o:p></o:p></p><div><p class=MsoNormal> <o:p></o:p></p></div></div><div><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span style='font-size:10.0pt;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=xmsonormal>Mozilla policy section 2.2 states:<span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal> <span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal style='margin-left:.5in'>For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate <u>or has been authorized by the email account holder to act on the account holder’s behalf. The CA SHALL NOT delegate validation of the domain portion of an email address.</u> The CA MAY rely on validation the CA has performed for an Authorization Domain Name (as specified in the Baseline Requirements) as being valid for subdomains of that Authorization Domain Name. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification.<span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal> <span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal>One could argue that the use of CAA described in draft-biggs-acme authorizes an SSO to act on an account holder’s behalf … but it is less clear if it fulfils the CA’s obligation to validate control of the domain portion. CAA as described here is not a method allowed under section 3.2.2.4 of the TLS BR so if this method was desired, we’d have to define suitable provision in the SMIME BR and also seek Mozilla’s acceptance.<span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal> <span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal> <span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal> <span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=xmsonormal><b>From:</b> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Stephen Davidson via Smcwg-public<br><b>Sent:</b> Monday, February 1, 2021 6:58 PM<br><b>To:</b> Rob Stradling <<a href="mailto:rob@sectigo.com">rob@sectigo.com</a>>; SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>>; Paul van Brouwershaven <<a href="mailto:Paul.vanBrouwershaven@entrust.com">Paul.vanBrouwershaven@entrust.com</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>; Neil Dunbar <<a href="mailto:ndunbar@trustcorsystems.com">ndunbar@trustcorsystems.com</a>>; Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>><br><b>Cc:</b> Kirk Hall <<a href="mailto:Kirk.Hall@entrust.com">Kirk.Hall@entrust.com</a>><br><b>Subject:</b> Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME<span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p></div></div><p class=xmsonormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> <o:p></o:p></span></p><p class=xmsonormal>Thanks for raising this Rob as it will come up in some detail later in our discussions relating to control of an email address.<span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal> <span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-biggs-acme-sso-00%23section-6&data=04%7C01%7Crob%40sectigo.com%7C66977f966d8347fd431c08d8c7c76cbd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637479006640604963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=O76Bq%2FiItsAirOQe5srr2a3CULpkw4WvLGd3NUnV9Ck%3D&reserved=0">https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6</a> ACME Extension for Single Sign On Challenges<span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal> <span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal>Note that this not only defines an issueemail property for CAA, but also a validationmethods parameter which is squarely within the interest of this WG. Options defined in the RFC include an SSO option (including the ability to specify SSOproviders) as well as email verification (see other doc at <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fid%2Fdraft-ietf-acme-email-smime-13.txt&data=04%7C01%7Crob%40sectigo.com%7C66977f966d8347fd431c08d8c7c76cbd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637479006640614920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AY08nJrMJe1%2FfgA50X0Jn2dDqPi9lYpHYQKX9ptZGNc%3D&reserved=0">https://www.ietf.org/id/draft-ietf-acme-email-smime-13.txt</a> Extensions to ACME<span style='font-size:12.0pt;font-family:"Times New Roman",serif'> </span>for end-user S/MIME certificates) mentioned previously.<span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal> <span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal>Regards, Stephen<span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal> <span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal> <span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=xmsonormal> <span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=xmsonormal><b>From:</b> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Rob Stradling via Smcwg-public<br><b>Sent:</b> Monday, February 1, 2021 6:41 PM<br><b>To:</b> Paul van Brouwershaven <<a href="mailto:Paul.vanBrouwershaven@entrust.com">Paul.vanBrouwershaven@entrust.com</a>>; SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>; Neil Dunbar <<a href="mailto:ndunbar@trustcorsystems.com">ndunbar@trustcorsystems.com</a>>; Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>><br><b>Cc:</b> Kirk Hall <<a href="mailto:Kirk.Hall@entrust.com">Kirk.Hall@entrust.com</a>><br><b>Subject:</b> Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME<span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p></div></div><p class=xmsonormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> <o:p></o:p></span></p><div><p class=xmsonormal><span style='font-size:12.0pt;color:black'>FYI, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-biggs-acme-sso-00%23section-6&data=04%7C01%7Crob%40sectigo.com%7C66977f966d8347fd431c08d8c7c76cbd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637479006640614920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YMcGZs3XRqV5FLmlHpgMorgoxbPBeo26tc8lYcgS6co%3D&reserved=0">https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6</a> seeks to "extend CAA to allow control over issuance of certificates for email addresses within that domain".</span><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p></div><div><div><div><p class=xmsonormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> <o:p></o:p></span></p></div></div></div></div></div></div></div></div></div></body></html>