[Smcwg-public] [EXTERNAL] Re: CAA and S/MIME

Rob Stradling rob at sectigo.com
Wed Feb 3 10:55:43 UTC 2021


Hi Stephen.

I agree that the "sso-01" method proposed in https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-5 is not currently suitable for validating a publicly-trusted S/MIME certificate.  Furthermore, I don't think anyone intends that it should be used for this purpose.  AIUI, the leaf certificates envisaged by draft-biggs-acme-sso are not intended to be used for S/MIME at all.

https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6 is interesting to this group because it also defines "smime-01", with reference to https://tools.ietf.org/html/draft-ietf-acme-email-smime-13.

TBH, I think it would make sense to split out Section 6 (CAA for Email Address Certificates) into a separate I-D.

________________________________
From: Stephen Davidson <Stephen.Davidson at digicert.com>
Sent: 02 February 2021 22:10
To: Stephen Davidson <Stephen.Davidson at digicert.com>; SMIME Certificate Working Group <smcwg-public at cabforum.org>; Rob Stradling <rob at sectigo.com>; Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com>; Tim Hollebeek <tim.hollebeek at digicert.com>; Neil Dunbar <ndunbar at trustcorsystems.com>; Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Cc: Kirk Hall <Kirk.Hall at entrust.com>
Subject: RE: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Mozilla policy section 2.2 states:



For a certificate capable of being used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder’s behalf. The CA SHALL NOT delegate validation of the domain portion of an email address. The CA MAY rely on validation the CA has performed for an Authorization Domain Name (as specified in the Baseline Requirements) as being valid for subdomains of that Authorization Domain Name. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification.



One could argue that the use of CAA described in draft-biggs-acme authorizes an SSO to act on an account holder’s behalf … but it is less clear if it fulfils the CA’s obligation to validate control of the domain portion.  CAA as described here is not a method allowed under section 3.2.2.4 of the TLS BR so if this method was desired, we’d have to define suitable provision in the SMIME BR and also seek Mozilla’s acceptance.







From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Stephen Davidson via Smcwg-public
Sent: Monday, February 1, 2021 6:58 PM
To: Rob Stradling <rob at sectigo.com>; SMIME Certificate Working Group <smcwg-public at cabforum.org>; Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com>; Tim Hollebeek <tim.hollebeek at digicert.com>; Neil Dunbar <ndunbar at trustcorsystems.com>; Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Cc: Kirk Hall <Kirk.Hall at entrust.com>
Subject: Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME



Thanks for raising this Rob as it will come up in some detail later in our discussions relating to control of an email address.



https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-biggs-acme-sso-00%23section-6&data=04%7C01%7Crob%40sectigo.com%7C66977f966d8347fd431c08d8c7c76cbd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637479006640604963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=O76Bq%2FiItsAirOQe5srr2a3CULpkw4WvLGd3NUnV9Ck%3D&reserved=0> ACME Extension for Single Sign On Challenges



Note that this not only defines an issueemail property for CAA, but also a validationmethods parameter which is squarely within the interest of this WG.  Options defined in the RFC include an SSO option (including the ability to specify SSOproviders) as well as email verification (see other doc at https://www.ietf.org/id/draft-ietf-acme-email-smime-13.txt<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fid%2Fdraft-ietf-acme-email-smime-13.txt&data=04%7C01%7Crob%40sectigo.com%7C66977f966d8347fd431c08d8c7c76cbd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637479006640614920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AY08nJrMJe1%2FfgA50X0Jn2dDqPi9lYpHYQKX9ptZGNc%3D&reserved=0> Extensions to ACME for end-user S/MIME certificates) mentioned previously.



Regards, Stephen







From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of Rob Stradling via Smcwg-public
Sent: Monday, February 1, 2021 6:41 PM
To: Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com<mailto:Paul.vanBrouwershaven at entrust.com>>; SMIME Certificate Working Group <smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>>; Tim Hollebeek <tim.hollebeek at digicert.com<mailto:tim.hollebeek at digicert.com>>; Neil Dunbar <ndunbar at trustcorsystems.com<mailto:ndunbar at trustcorsystems.com>>; Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr<mailto:dzacharo at harica.gr>>
Cc: Kirk Hall <Kirk.Hall at entrust.com<mailto:Kirk.Hall at entrust.com>>
Subject: Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME



FYI, https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-biggs-acme-sso-00%23section-6&data=04%7C01%7Crob%40sectigo.com%7C66977f966d8347fd431c08d8c7c76cbd%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637479006640614920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YMcGZs3XRqV5FLmlHpgMorgoxbPBeo26tc8lYcgS6co%3D&reserved=0> seeks to "extend CAA to allow control over issuance of certificates for email addresses within that domain".


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210203/662176d7/attachment-0001.html>


More information about the Smcwg-public mailing list