[Smcwg-public] [EXTERNAL] Re: CAA and S/MIME

Tim Hollebeek tim.hollebeek at digicert.com
Thu Feb 4 21:54:00 UTC 2021 

I agree that CAA for Email should have its own draft, instead of being part
of a larger document with a different purpose.

 

-Tim

 

From: Rob Stradling <rob at sectigo.com> 
Sent: Wednesday, February 3, 2021 5:56 AM
To: Stephen Davidson <Stephen.Davidson at digicert.com>; SMIME Certificate
Working Group <smcwg-public at cabforum.org>; Paul van Brouwershaven
<Paul.vanBrouwershaven at entrust.com>; Tim Hollebeek
<tim.hollebeek at digicert.com>; Neil Dunbar <ndunbar at trustcorsystems.com>;
Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Cc: Kirk Hall <Kirk.Hall at entrust.com>
Subject: Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME

 

Hi Stephen.

 

I agree that the "sso-01" method proposed in
https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-5 is not
currently suitable for validating a publicly-trusted S/MIME certificate.
Furthermore, I don't think anyone intends that it should be used for this
purpose.  AIUI, the leaf certificates envisaged by draft-biggs-acme-sso are
not intended to be used for S/MIME at all.

 

https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6 is interesting
to this group because it also defines "smime-01", with reference to
https://tools.ietf.org/html/draft-ietf-acme-email-smime-13.

 

TBH, I think it would make sense to split out Section 6 (CAA for Email
Address Certificates) into a separate I-D.

 

  _____  

From: Stephen Davidson <Stephen.Davidson at digicert.com
<mailto:Stephen.Davidson at digicert.com> >
Sent: 02 February 2021 22:10
To: Stephen Davidson <Stephen.Davidson at digicert.com
<mailto:Stephen.Davidson at digicert.com> >; SMIME Certificate Working Group
<smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >; Rob
Stradling <rob at sectigo.com <mailto:rob at sectigo.com> >; Paul van
Brouwershaven <Paul.vanBrouwershaven at entrust.com
<mailto:Paul.vanBrouwershaven at entrust.com> >; Tim Hollebeek
<tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> >; Neil
Dunbar <ndunbar at trustcorsystems.com <mailto:ndunbar at trustcorsystems.com> >;
Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr
<mailto:dzacharo at harica.gr> >
Cc: Kirk Hall <Kirk.Hall at entrust.com <mailto:Kirk.Hall at entrust.com> >
Subject: RE: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME 

 

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.

 

Mozilla policy section 2.2 states:

 

For a certificate capable of being used for digitally signing or encrypting
email messages, the CA takes reasonable measures to verify that the entity
submitting the request controls the email account associated with the email
address referenced in the certificate or has been authorized by the email
account holder to act on the account holder's behalf. The CA SHALL NOT
delegate validation of the domain portion of an email address. The CA MAY
rely on validation the CA has performed for an Authorization Domain Name (as
specified in the Baseline Requirements) as being valid for subdomains of
that Authorization Domain Name. The CA's CP/CPS must clearly specify the
procedure(s) that the CA employs to perform this verification.

 

One could argue that the use of CAA described in draft-biggs-acme authorizes
an SSO to act on an account holder's behalf . but it is less clear if it
fulfils the CA's obligation to validate control of the domain portion.  CAA
as described here is not a method allowed under section 3.2.2.4 of the TLS
BR so if this method was desired, we'd have to define suitable provision in
the SMIME BR and also seek Mozilla's acceptance.

 

 

 

From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of Stephen Davidson
via Smcwg-public
Sent: Monday, February 1, 2021 6:58 PM
To: Rob Stradling <rob at sectigo.com <mailto:rob at sectigo.com> >; SMIME
Certificate Working Group <smcwg-public at cabforum.org
<mailto:smcwg-public at cabforum.org> >; Paul van Brouwershaven
<Paul.vanBrouwershaven at entrust.com
<mailto:Paul.vanBrouwershaven at entrust.com> >; Tim Hollebeek
<tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> >; Neil
Dunbar <ndunbar at trustcorsystems.com <mailto:ndunbar at trustcorsystems.com> >;
Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr
<mailto:dzacharo at harica.gr> >
Cc: Kirk Hall <Kirk.Hall at entrust.com <mailto:Kirk.Hall at entrust.com> >
Subject: Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME

 

Thanks for raising this Rob as it will come up in some detail later in our
discussions relating to control of an email address.

 

https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.iet
f.org%2Fhtml%2Fdraft-biggs-acme-sso-00%23section-6&data=04%7C01%7Crob%40sect
igo.com%7C66977f966d8347fd431c08d8c7c76cbd%7C0e9c48946caa465d96604b6968b49fb
7%7C0%7C0%7C637479006640604963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL
CJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=O76Bq%2FiItsAirOQ
e5srr2a3CULpkw4WvLGd3NUnV9Ck%3D&reserved=0>  ACME Extension for Single Sign
On Challenges

 

Note that this not only defines an issueemail property for CAA, but also a
validationmethods parameter which is squarely within the interest of this
WG.  Options defined in the RFC include an SSO option (including the ability
to specify SSOproviders) as well as email verification (see other doc at
https://www.ietf.org/id/draft-ietf-acme-email-smime-13.txt
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.
org%2Fid%2Fdraft-ietf-acme-email-smime-13.txt&data=04%7C01%7Crob%40sectigo.c
om%7C66977f966d8347fd431c08d8c7c76cbd%7C0e9c48946caa465d96604b6968b49fb7%7C0
%7C0%7C637479006640614920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj
oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AY08nJrMJe1%2FfgA50X0J
n2dDqPi9lYpHYQKX9ptZGNc%3D&reserved=0>  Extensions to ACME for end-user
S/MIME certificates) mentioned previously.

 

Regards, Stephen

 

 

 

From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of Rob Stradling via
Smcwg-public
Sent: Monday, February 1, 2021 6:41 PM
To: Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com
<mailto:Paul.vanBrouwershaven at entrust.com> >; SMIME Certificate Working
Group <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >; Tim
Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> >;
Neil Dunbar <ndunbar at trustcorsystems.com
<mailto:ndunbar at trustcorsystems.com> >; Dimitris Zacharopoulos (HARICA)
<dzacharo at harica.gr <mailto:dzacharo at harica.gr> >
Cc: Kirk Hall <Kirk.Hall at entrust.com <mailto:Kirk.Hall at entrust.com> >
Subject: Re: [Smcwg-public] [EXTERNAL] Re: CAA and S/MIME

 

FYI, https://tools.ietf.org/html/draft-biggs-acme-sso-00#section-6
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.iet
f.org%2Fhtml%2Fdraft-biggs-acme-sso-00%23section-6&data=04%7C01%7Crob%40sect
igo.com%7C66977f966d8347fd431c08d8c7c76cbd%7C0e9c48946caa465d96604b6968b49fb
7%7C0%7C0%7C637479006640614920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL
CJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YMcGZs3XRqV5FLmlH
pgMorgoxbPBeo26tc8lYcgS6co%3D&reserved=0>  seeks to "extend CAA to allow
control over issuance of certificates for email addresses within that
domain".

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210204/66a05b04/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210204/66a05b04/attachment-0001.p7s>

More information about the Smcwg-public mailing list