I have the feeling that this going to something over-complicated... Let's think in a simple case, which is, I think, the most common scenario where there's some delegation:
1. A company needs MPKI service for its employees, who use email addresses in one or more domains owned by the company 2. The CA validates that the company has control on the domain and grants a MPKI access with domain constraints 3. The company, that has already its own controls on the people before assigning an email address to an individual (e.g. HR dept does a vetting and asks to the IT dept to create the account), is autonomous to enroll new users and provide them certificates. The CA is not providing any value nor security by doing additional validations on each individual This is what we do for corporate MPKI services with domain constraints. I can't talk in behalf of all CAs, but I think this is the use case that we'd want to be able to keep. Best, Pedro _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
