Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added validation of applicant as operator of associated mail server. #34

Merged
merged 3 commits into from Feb 2, 2022
Merged

Added validation of applicant as operator of associated mail server. #34

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c6a7ac7
Added validation of applicant as operator of associated mail server.
fotisl Jan 19, 2022
4343105
Clarify that the validation method can be used for UTF8 mailboxes as …
fotisl Jan 21, 2022
5ed95f9
Do not allow aliases in MX record RDATA.
fotisl Jan 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 12 additions & 3 deletions SBR.md
View file
Open in desktop
Expand Up @@ -372,7 +372,8 @@ The script outputs:
|TLS |Transport Layer Security|

### 1.6.3 References
TBD

RFC 5321, Request for Comments: 5321, Simple Mail Transfer Protocol, J. Klensin, October 2008.

### 1.6.4 Conventions

Expand Down Expand Up @@ -460,7 +461,15 @@ The Random Value SHALL be unique in each email. The Random Value SHALL remain va

The Random Value SHALL be reset upon each instance of the email sent by the CA and, if intended for additional use as an authentication factor, upon first use.

#### 3.2.2.3 CAA Records
#### 3.2.2.3 Validating applicant as operator of associated mail server(s)

Confirming the Applicant's control over the `rfc822Name` or `otherName` of type `id-on-SmtpUTF8Mailbox` email address by confirming control of the SMTP FQDN to which a message delivered to the email address should be directed. The SMTP FQDN MUST be identified using the address resolution algorithm defined in RFC 5321 Section 5.1 which determines which SMTP FQDNs are authoritative for a given email address. If more than one SMTP FQDNs have been discovered, the CA MUST verify control of an SMTP FQDN following the selection process at RFC 5321 Section 5.1. Aliases in MX record RDATA MUST NOT be used for this validation method.

When confirming the Applicant's control of the SMTP FQDN, the CA MUST use the methods in Section 3.2.2.4 of the Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates.
srdavidson marked this conversation as resolved.
Show resolved Hide resolved

This method is suitable for validating control of all email addresses under a single domain.

#### 3.2.2.4 CAA Records

This version of the S/MIME Baseline Requirements does not require the CA to check for CAA records. The CAA property tags for issue, issuewild, and iodef as specified in RFC 8659 are not recognized for the issuance of S/MIME Certificates.

Expand Down Expand Up @@ -2198,4 +2207,4 @@ The DNS TXT record MUST be placed on the "`_validation-contactemail`" subdomain

### A.3.2 DNS TXT Record Phone Contact

The DNS TXT record MUST be placed on the "`_validation-contactphone`" subdomain of the domain being validated. The entire RDATA value of this TXT record MUST be a valid Global Number as defined in RFC 3966, Section 5.1.4, or it cannot be used.
The DNS TXT record MUST be placed on the "`_validation-contactphone`" subdomain of the domain being validated. The entire RDATA value of this TXT record MUST be a valid Global Number as defined in RFC 3966, Section 5.1.4, or it cannot be used.
srdavidson marked this conversation as resolved.
Show resolved Hide resolved