I agree that this culminates to what does it mean when requirement is "verified by CA". When that is not specified anywhere and specifically not in E validation chapter of BR I have interpreted that also weak E verification methods are acceptable. I understand that it would be "nice" to use stronger methods but the point is that is it "illegal" to use weak method when such method is not prohibited.
In our old process we have accepted personal addresses because in some cases a single person is really the "support point" of a server. In practise personal address has only been accepted if the same person is also the technical or administrative contact of the application. If anybody would complain or we notice in our visual check that the name or address can't be correct we revoke or don't accept. In practice there hasn't been any complaints ever related to our approved E values (except now in the this discussion). Note that all used E values have originated from authenticated customers' CSR. Note! Because we want to follow "best practices" we have already stopped using these weak methods based on these discussions. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
