[Smcwg-public] [EXTERNAL] Re: CAA and S/MIME

Tue Feb 2 22:10:51 UTC 2021

Mozilla policy section 2.2 states:

For a certificate capable of being used for digitally signing or encrypting
email messages, the CA takes reasonable measures to verify that the entity
submitting the request controls the email account associated with the email
address referenced in the certificate or has been authorized by the email
account holder to act on the account holder's behalf. The CA SHALL NOT
delegate validation of the domain portion of an email address. The CA MAY
rely on validation the CA has performed for an Authorization Domain Name (as
specified in the Baseline Requirements) as being valid for subdomains of
that Authorization Domain Name. The CA's CP/CPS must clearly specify the
procedure(s) that the CA employs to perform this verification.

One could argue that the use of CAA described in draft-biggs-acme authorizes
an SSO to act on an account holder's behalf . but it is less clear if it
fulfils the CA's obligation to validate control of the domain portion.  CAA
as described here is not a method allowed under section 3.2.2.4 of the TLS
BR so if this method was desired, we'd have to define suitable provision in
the SMIME BR and also seek Mozilla's acceptance.

From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Stephen
Davidson via Smcwg-public
Sent: Monday, February 1, 2021 6:58 PM
To: Rob Stradling <rob at sectigo.com>; SMIME Certificate Working Group
<smcwg-public at cabforum.org>; Paul van Brouwershaven
<Paul.vanBrouwershaven at entrust.com>; Tim Hollebeek
<tim.hollebeek at digicert.com>; Neil Dunbar <ndunbar at trustcorsystems.com>;
Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Cc: Kirk Hall <Kirk.Hall at entrust.com>
Subject: Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME

Thanks for raising this Rob as it will come up in some detail later in our
discussions relating to control of an email address.

https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6 ACME Extension
for Single Sign On Challenges

Note that this not only defines an issueemail property for CAA, but also a
validationmethods parameter which is squarely within the interest of this
WG.  Options defined in the RFC include an SSO option (including the ability
to specify SSOproviders) as well as email verification (see other doc at
https://www.ietf.org/id/draft-ietf-acme-email-smime-13.txt Extensions to
ACME for end-user S/MIME certificates) mentioned previously.

Regards, Stephen

From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of Rob Stradling via
Smcwg-public
Sent: Monday, February 1, 2021 6:41 PM
To: Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com
<mailto:Paul.vanBrouwershaven at entrust.com> >; SMIME Certificate Working
Group <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >; Tim
Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> >;
Neil Dunbar <ndunbar at trustcorsystems.com
<mailto:ndunbar at trustcorsystems.com> >; Dimitris Zacharopoulos (HARICA)
<dzacharo at harica.gr <mailto:dzacharo at harica.gr> >
Cc: Kirk Hall <Kirk.Hall at entrust.com <mailto:Kirk.Hall at entrust.com> >
Subject: Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME

FYI, https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6 seeks to
"extend CAA to allow control over issuance of certificates for email
addresses within that domain".

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210202/beb0acce/attachment.html>