[Smcwg-public] Methods for email verification

Russ Housley housley at vigilsec.com
Fri Feb 19 14:19:54 UTC 2021 

Regarding name constrains on email addresses in subordinate CA certificates, RFC 5280 says:

   A name constraint for Internet mail addresses MAY specify a
   particular mailbox, all addresses at a particular host, or all
   mailboxes in a domain.  To indicate a particular mailbox, the
   constraint is the complete mail address.  For example,
   "root at example.com" indicates the root mailbox on the host
   "example.com".  To indicate all Internet mail addresses on a
   particular host, the constraint is specified as the host name.  For
   example, the constraint "example.com" is satisfied by any mail
   address at the host "example.com".  To specify any address within a
   domain, the constraint is specified with a leading period (as with
   URIs).  For example, ".example.com" indicates all the Internet mail
   addresses in the domain "example.com", but not Internet mail
   addresses on the host "example.com".

I think it would be acceptable for a CA to validate control over a complete email address, such as "root at example.com".  However, it is not possible for the CA to enumerate all of the addresses on a particular host or in a particular domain.  So, in those cases, the validation needs to be for the domain.

Russ


> On Feb 17, 2021, at 6:02 PM, Stephen Davidson via Smcwg-public <smcwg-public at cabforum.org> wrote:
> 
> Hello all:
>  
> Following our discussion on the call today, I attach draft text for section 3.2.2.2 of the SMIME BR (SBR) that deals with 1) Validating authority over email address via domain and 2) Validating control over email address via email.
>  
> It aims to fulfill the requirements of the Mozilla policy.  It includes comments with some questions that require further discussion.  Additional methods can be addressed in future versions of the SBR.
>  
> Many thanks for Doug and Sebastian at GlobalSign for their help in drafting this.  We’ll discuss this in a future meeting, but feel free to also provide feedback here.
>  
> Many thanks, Stephen
> <SBR - Draft email verification.pdf>_______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org>
> https://lists.cabforum.org/mailman/listinfo/smcwg-public <https://lists.cabforum.org/mailman/listinfo/smcwg-public>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210219/e4563039/attachment.html>

More information about the Smcwg-public mailing list