[Smcwg-public] Proposed method for "validating applicant as operator of associated mail servers"
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Wed Jan 19 17:37:15 UTC 2022
This method has several challenges some of which have already been
discussed in the validation subcommittee and the server certificate
working group. It's basically the fact that the control of the domain
name is performed by a different entity, which is different than the
actual "Applicant". It is like the Applicant is delegating control over
to a different entity.
Assuming we overcome these issues, if we accept the fact that the
operator of a server in the MX records of a Domain Name is by virtue
*authorized *to issue any S/MIME certificate that contains any email
address that contains the domain part of the validated domain name, this
validation evidence _should not be allowed to be reused_. That is
because the Domain Name owner could decide to switch to another mail
provider, change the MX records and wouldn't want the previous mail
provider to be authorized to issue certificates under their Domain Name.
This means that, similarly to the CAA mandatory checking requirement in
the TLS BRs, the CA would need to always check the MX records for every
Domain Name being validated using this method.
Dimitris.
On 19/1/2022 7:17 μ.μ., Stephen Davidson via Smcwg-public wrote:
>
> Hello all:
>
> Per our discussion today of the draft text of section 3.2.2
> “Validation of mailbox authorization or control
> <https://github.com/cabforum/smime/blob/preSBR/SBR.md#322-validation-of-mailbox-authorization-or-control>”
> Fotis Loukos has proposed a new method for "validating applicant as
> operator of associated mail servers." This would apply in cases where
> I have my own domain but redirect/outsource the operation of my entire
> email domain to a service.
>
> I believe that we should accommodate this common use case in the
> S/MIME BR, but know that it’s different from our previous discussions
> on mailbox verification which centered mainly on familiar methods from
> the TLS BR. As such, I attach the proposed text below and hope that
> WG members can review the associated RFC 5321 Section 5.1 and provide
> feedback on list. For example, this may tie in with another agenda
> item on the reuse periods for different types of verification. If
> needed we can schedule specific time (perhaps at the F2F) to work on
> this as well.
>
> It was a useful call today; thank you.
>
> Regards, Stephen
>
> *#### 3.2.2.3 Validating applicant as operator of associated mail
> server(s)*
>
> Confirming the Applicant's control over the rfc822Name email address
> by confirming control of the SMTP FQDN to which a message delivered to
> the email address should be directed. The SMTP FQDN MUST be identified
> using the address resolution algorithm defined in RFC 5321 Section 5.1
> which determines which SMTP FQDNs are authoritative for a given email
> address. If more than one SMTP FQDNs have been discovered, the CA MUST
> verify control of an SMTP FQDN following the selection process at RFC
> 5321 Section 5.1.
>
> When confirming the Applicant's control of the SMTP FQDN, the CA MUST
> use the methods described in Section 3.2.2.4 of the TLS Baseline
> Requirements.
>
> This method is suitable for validating control of all email addresses
> under a single domain.
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220119/1cf04bb4/attachment.html>
More information about the Smcwg-public
mailing list