On Mon, Aug 20, 2018 at 4:06 AM, pekka.lahtiharju--- via dev-security-policy <[email protected]> wrote:
> In our implementation E value in our certificates was "true" if it passed > our technical and visual verification. If the BR requirement is to do "any" > verification for E then the verification techniques we used should be OK. > We think that BR has meant that both OU and E are based on values defined > by Applicant and it is not mandatory to do any email send/response > verification. How do you conclude that BR words "has been verified by the > CA" actually means that some email has to be sent? In our opinion E is just > a support email address and its verification is not similar to important > subject fields like O,L or C but can be compared to OU verification. The BRs exclusively detail, with only one exception, how to ensure the information presented in the certificate is accurate (c.f. 7.1.4.2), and that the information is factual (c.f. 4.2.1) and with a verification process (c.f. 3.2.2). Could you describe where in your CP/CPS your procedures for email validation were documented? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
