--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/VqO1FNjgYWNVMWuC5KSzivQZu9SIozSPnaMkKxIcn8MSuEaTCoHoIQaH_wSdP9l3G8k1jh_BW-wttwCMbXYW791DY24WGXjY8yZlWgpIizU%3D%40protonmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKtZuQ5m3YOzhRYsON-UUk-_0TkojK%3DxisKu9JAoMUKa_5_n_A%40mail.gmail.com.
Could you give us more information about the specific reseller? Some of the smime resellers are appointed as RAs for the purpose of verifying identity in email certs. They can’t verify the email address itself nor can they verify identifies for non-email certs. Sounds like an RA isn’t living up to its obligations as we require “an alternate method of communication” to verify the details.
Jeremy
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHHLdMBFM5%2B%2BNapchZBRuWoMBpmQ0B9fZQWzJjNsXrh4Ow%40mail.gmail.com.
We are planning on making a change when there are updated requirements from the sMIME working group. For us, the alternative method of communication is usually just an email to the customer placing it. Ras generally verify the cert by using their relationship with the customer – again usually by sending an email to the sign up process. I agree that it’s not really a great process, but I wasn’t going to change it while new requirements are coming from CAB as the current process meets the literal language of the Mozilla policy. One reason we have Stephen Davidson so keen on the smime working group is because we’d like to see better requirements in this area.
They are verified through “an alternative method of communication”, which means an email confirming the details. Note that the requirement does not say “prevent all fake O fields”. It says confirm the information using an alternative means of communication. If you send us certs with fake O fields, we’ll happily revoke per the revocation requirements.
From: Matthias Merkel <matt...@matthias.zone>
Sent: Thursday, July 1, 2021 10:53 AM
To: Jeremy Rowley <jeremy...@digicert.com>
Well, define ‘unvetted’. I don’t think there are a lot without “an alternative email” and none where the email in the cert wasn’t vetted.
However, I think you are saying are there are a lot where there aren’t an OV TLS standard applied to the vetting. That’s difficult to say. We generally don’t sell smime retail (that only happens through partners) so we can verify our relationship to the customer before issuing the certs. That generally involves more rigorous identity vetting as part of the relationship process. For resellers, we see resellers as the partner, meaning we vet their identity when they sign up and confirm with them that the information is correct (they have to confirm via contract and via submission to the portal). The obligation is then passed down to them (via contract) to confirm organization information in the cert using the “alternative means of communication”. Note we also send an email directly to the email cert hold that confirms this info, which is an “alternative method of communication” by itself.
Like I said, I don’t love this process, which is why we have so many people involved in the smime WG.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BYAPR14MB2600BC8C4A680BEA3B7BF99B8E009%40BYAPR14MB2600.namprd14.prod.outlook.com.
Interesting. I’ve always read it as "{independent source of information} or {an alternative communication channel}", not "independent {source of information or an alternative communication channel}". That could change things if the word “independent” was supposed to apply to both.
Note that we actually sell four/five (depending on how you want to parse it) five different levels of authentication on sMIME certs. These fall under our Level 1 – rudimentary certs. We have separate systems (where Resellers are not RAs) for Level 1.5+ certs. For this discussion, I’ll only cite the level 1 sections as these are the certs in question. These levels map to the NIST and FPKI defined levels of verification.
The CPS says:
Section 3.2.3: As specified in Section 3.2.2 (no identity verification other than control of the email address listed in the Certificate).
If you want to say these are “Enterprise” client certs then it says: “Through information derived from an ongoing business relationship with the applicant organization”, which is what resellers would fall under.
The other levels increase in complexity with Level 4 requiring a biometric.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHFrrgi8CgR%2B%3Dv3Md4H9zbHND5tArpxJ%3D-PMmJ0dPmDWXA%40mail.gmail.com.
There are org verified certs, which is why I mentioned we have several different levels of email certificates. A large part of the discussion will depend on the particular email cert type. I assumed we were discussing only the Level 1 certs, which maps to Federal Rudimentary levels of authentication. These different levels of verification are reflected in the CPS. For example, org validation similar to OV is required for enterprise class client certs. The policy OID in the cert identifies the level of verification completed. Personal Level 1, which is what resellers offer, are generally non-verified except via the alternative method of communication required and an email verification.
Jeremy
Interesting. I’ve always read it as "{independent source of information} or {an alternative communication channel}", not "independent {source of information or an alternative communication channel}". That could change things if the word “independent” was supposed to apply to both.
Any Subject Relative Distinguished Names other than email address must be rigorously validated before issuance, using a publicly documented and audited procedure. Refer to Section 3.2.3 “Authentication of Individual Identity” of the CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates, version 1.3.2 or greater for an acceptable procedure.
I’ll take the opportunity to follow up on Ryan’s introduction to the CA/Browser Forum’s S/MIME Certificate Working Group.
https://cabforum.org/working-groups/smime-certificate-wg/
The SMCWG is working on draft S/MIME Baseline Requirements that will address:
- Verification of control over email addresses
- Key management and certificate lifecycle
- Certificate profiles for S/MIME certificates and Issuing CA certificates
- CA operational practices, physical/logical security, etc.
In addition, the S/MIME Baseline Requirements will also address identity validation for natural persons and legal entities in the context of S/MIME certificates.
Membership of the SMCWG includes Certificate Issuers, Certificate Consumers (like mail clients), Interested Parties and Associate Members (such as audit and standards entities). Membership information is provided in the link above. We welcome those with an interest in S/MIME. The SMCWG’s activities may also be followed at https://lists.cabforum.org/mailman/listinfo/smcwg-public
The SMCWG is working on several profiles ranging from “legacy” to “strict” with the goal of documenting reasonable practices for S/MIME issuance and bringing them into an auditable framework. In part, the current “legacy” flexibility is required due to other uses cases (such as document signing) that may currently overlap the emailProtection EKU (see more here on that topic).
The draft profiles address different user Subject types, including mailbox only, organization, individual, and sponsored (which incorporates Enterprise RAs, where Org and domain information used in the Subject is fixed by the CA, but that Org’s RA can validate certain other information about the holders of individual certificates, typically employees). Where possible the S/MIME Baseline Requirements will leverage the verification procedures defined in other CABF or industry standards.
Regards, Stephen
Chair of the CABF S/MIME Certificate Working Group
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKtZuQ6-r5Zsadh5zJ4oqgofBr_f4nrW1LAFr2Vy3goFogUV-Q%40mail.gmail.com.