On Sat, 1 Jul 2023, Russ Housley wrote:
It's never been clear how one ensures that the requestor for a S/MIME
cert is authorized to ask for a cert for the address, since from the
outside you can't tell anything about the relationship between a
domain and e-mail addresses at that domain. (Consider, for example,
addresses at gmail.com. ietf.org, and fbi.gov.) While this change
doesn't make the authorization issue any worse, it also doesn't
improve it. It'd be worth a sentence in the security section to remind
people that the CAA restrictions have to be used along with some other
way to check whether it is OK for the CA to sign a cert for a specific
address.
The CA/Browser Forum has defined several mechanisms for a use to demonstrate that they have access to send and receive email at a particular mailbox. That said, I'm not sure it is a topic for this document.
If it wasn't clear, I wasn't saying you need to invent anything, just that
you need to keep using whatever other measures there are. Not a big deal.
Regards,
John Levine, johnl@xxxxxxxxx, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
