[Smcwg-public] Enterprise RA and external email domains

Bruce Morton Bruce.Morton at entrust.com
Fri Apr 28 18:22:01 UTC 2023


I think the answer is yes to the question, it is appropriate for an Enterprise RA to issue Sponsor-validated certs including a mailbox under an external email domain. The justification is per SMCBR 3.2.6 the CA must verify authorization of the Enterprise RA and per SMCBR 1.3.2.1 the CA must impose limitations as a contractual requirement (Subscriber Agreement) on the Enterprise RA. As such the Enterprise (Subscriber) should be fully aware of what the Enterprise RA is permitted to do.

There is also an obligation that CA monitor compliance of the Enterprise RA. I think this CA obligation should be dropped as Enterprise RA compliance should also be addressed as a contractual requirement. The original EV Guideline purpose of the Enterprise RA was to allow them to do limited RA functions in a limited area (controlled by organization name and domain name) and not be subject to audit (or monitoring). I think the same purpose could be extended for S/MIME cerificates.


Thanks, Bruce.

From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Stephen Davidson via Smcwg-public
Sent: Thursday, April 27, 2023 12:44 PM
To: Stephen Davidson <Stephen.Davidson at digicert.com>; SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: [EXTERNAL] Re: [Smcwg-public] Enterprise RA and external email domains

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
A second attempt at the attachment.

Regards, Stephen


From: Smcwg-public <smcwg-public-bounces at cabforum.org<mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of Stephen Davidson via Smcwg-public
Sent: Thursday, April 27, 2023 9:37 AM
To: smcwg-public at cabforum.org<mailto:smcwg-public at cabforum.org>
Subject: [Smcwg-public] Enterprise RA and external email domains

The current SBR text only allows an Enterprise RA to issue "identity" certs to email domains under its authority or control.  For external email domains, the Mailbox-validated domain is proposed.

Attached are the slides from yesterday's SMCWG meeting, including the discussion of whether it is appropriate for an Enterprise RA to issue Sponsor-validated certs including a mailbox under an external email domain.

This discussion will continue.

Regards, Stephen
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230428/1a730587/attachment.html>


More information about the Smcwg-public mailing list