japarson
commented
2 weeks ago Hi @vrubleg, I'm meeting with the maintainers of the Trusted Signing service later this month. I'll be sure to bring up this request.
Open vrubleg opened 2 weeks ago
japarson
commented
2 weeks ago Hi @vrubleg, I'm meeting with the maintainers of the Trusted Signing service later this month. I'll be sure to bring up this request.
Jaxelr
commented
2 weeks ago At least @TacoTechSharma and myself have visibility on this.
You already have almost everything for (optional) specifying email address in certificates. An email address is separately requested when an identity validation request is created, and it already can be different from private email that is used for Azure. The email that is specified for the identity validation is already verified during validation. So a user can already put a public contact email there and proof that they have access to it during validation. The only thing that is missing is an option to add this email to the certificate.
Why it can be important? There are people with similar names living in the same country, so combination of full name and country is not unique. A validated contact email might help with distinguishing certificates of different individuals. For example, if I want to verify from my program that an update file is signed by me, I can't rely on the certificate thumbprint (because it's extremely short-living) or just CN (because namesakes are potentially possible). A combination of full name (
CN), country (C), and email is much more reliable.Also, a signature with email specified just looks more trustworthy when a user checks it in the file properties. When there is "Not available" instead of an email, it feels like something is off. I would happily specify my support email there.