[Smcwg-public] Methods for email verification

Tim Hollebeek tim.hollebeek at digicert.com
Tue Feb 23 16:30:18 UTC 2021


Right, we should follow the CABF validation reuse rules.  I.e. as long as they’re both issued within the validation reuse timeframe, the second can reuse the first’s validation.

 

One of the annoying things is that CABF policies and traditional PKI policies say basically the same thing in two different ways.

 

Traditional PKIs have no provisions for reuse of validation, but define issuance categories like “renewal” and “replacement” that have pared-down validation and issuance rules based on the existence of a previously issued certificate with the same validated information.

 

CABF PKIs forbid “renewal”, etc and treat everything as a new issuance, but have validation reuse requirements that in practice … tend to have exactly the same effect.  You can renew (etc) a certificate without having to completely redo the validation for previously validated information.

 

It’s mostly just tomayto tomahto, but it is a pain for PKIs that span both worlds.

 

-Tim

 

From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Smcwg-public
Sent: Sunday, February 21, 2021 5:17 AM
To: Wendy Brown - QT3LB-C <wendy.brown at gsa.gov>; SMIME Certificate Working Group <smcwg-public at cabforum.org>; Doug Beattie <doug.beattie at globalsign.com>
Subject: Re: [Smcwg-public] Methods for email verification

 

 

On 18/2/2021 6:25 μ.μ., Wendy Brown - QT3LB-C via Smcwg-public wrote:

also could a single validation of the email address be used for issuance of both the signature & encryption certs in the case of the dual certs vs single cert case?



That makes perfect sense to me.

Validations in general should be allowed to be reused as it is allowed in other Certificate types. 


Dimitris.




Wendy

Wendy Brown
Supporting GSA FPKI
Protiviti Government Services

 703-965-2990 (cell)

 <mailto:wendy.brown at gsa.gov> wendy.brown at gsa.gov
wendy.brown at protiviti.com

 

 

On Thu, Feb 18, 2021 at 10:54 AM Doug Beattie via Smcwg-public <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> > wrote:

Hi Stephen,

 

I’m not sure I agree with this statement in section 3.2.2.2.2 Validating control over email address via email

 

*	Completed validations of Applicant control over the email address must be performed for each Certificate issuance.

 

I’d like to permit re-use of that validation over and over for the re-use period for that subscriber if possible.  Is there a reason we preclude that?  For example, an email gateway provider might validate this email address and then want to replace certificates more frequently than 397 days, but this would require emails to the email box to act on that.

 

Doug

 

 

From: Smcwg-public <smcwg-public-bounces at cabforum.org <mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of Stephen Davidson via Smcwg-public
Sent: Wednesday, February 17, 2021 6:02 PM
To: SMIME Certificate Working Group <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >
Subject: [Smcwg-public] Methods for email verification

 

Hello all:

 

Following our discussion on the call today, I attach draft text for section 3.2.2.2 of the SMIME BR (SBR) that deals with 1) Validating authority over email address via domain and 2) Validating control over email address via email.

 

It aims to fulfill the requirements of the Mozilla policy.  It includes comments with some questions that require further discussion.  Additional methods can be addressed in future versions of the SBR.

 

Many thanks for Doug and Sebastian at GlobalSign for their help in drafting this.  We’ll discuss this in a future meeting, but feel free to also provide feedback here.

 

Many thanks, Stephen

_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org> 
https://lists.cabforum.org/mailman/listinfo/smcwg-public





_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org> 
https://lists.cabforum.org/mailman/listinfo/smcwg-public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210223/149d2531/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20210223/149d2531/attachment-0001.p7s>


More information about the Smcwg-public mailing list