[cabf_validation] Multi‐factor authentication

[Bruce Morton]

TLS and S/MIME BR 6.5.1 state, “The CA SHALL enforce multi‐factor authentication for all accounts capable of directly causing certificate issuance.” The same text will also be added to the CSBR, if the latest ballot passes.

Mozilla Policy 2.1 states, “CA operators whose certificates are included in Mozilla's root store MUST enforce multi-factor authentication for all accounts capable of causing certificate issuance or performing Registration Authority or Delegated Third Party functions, or implement technical controls operated by the CA to restrict certificate issuance through the account to a limited set of pre-approved domains or email addresses;”

Should we consider adding text similar to “or implement technical controls operated by the CA to restrict certificate issuance through the account to a limited set of pre-approved domains”, which would allow the Mozilla requirement to be used for TLS certificates from the CAB Forum’s perspective?

If acceptable, similar changes could also be suggested to the S/MIME and Code Signing Working Groups.


Thanks, Bruce.
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20230731/de59dd9c/attachment.html>