David E. Ross wrote:
For any class of certificate and for any certificate type (i.e., mail
authentication, Web site security, code-signing), I would expect two
levels of subscriber verification.
The first level would be to verify that the Web domain or E-mail address
for the subscriber's certificate is indeed "owned" by the subscriber or
that the person applying for the subscriber certificate is indeed
authorized to do so by the owner. This appears to be met by StartCom's
practices.
The second level would be to verify that the owner of the Web domain or
E-mail address is indeed who he or she claims to be. For StartCom Class
1 certificates, this does not appear to be met by StartCom's practices.
This level cannot be automated and requires positive identification
of the corporeal persona, not of some abstract Internet entity.
Whether one agrees that it's sufficient or not, automated verification
of the type used by StartCom is pretty common practice for "class 1"
certificates issued by any number of CAs, including several that are
already in the Mozilla root list. This is essentially the classic
"control of domain" or "control of email account" style verification,
where the CA is not attesting to an actual real-life identity.
As you'll recall, in the course of creating the new certificate policy
we (meaning we in general, not just you and I) had lots of discussions
about the pros and cons of so-called "domain control" certs, and the
ultimate result is that the current Mozilla policy does not rule out CAs
issuing such certs.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
