> > My intent was to address identifying the persons who are subscribers, > well beyond merely verifying Web domains and E-mail addresses. > According to the StartCom CP (Sect. 11.III.A), that level of > verification is not done for Class 1 subscriber certificates.
Nor should it be, class 1 certificates means that only cursory checking is done, regardless of the CA. Look at all the CAs that are signed by GeoTrust that are already validated because it, Komodo, and Registerfly are the 2 that spring to mind. I know, from using Registerfly, that no greater care is given issuing certificates thru registerfly than is done for Class 1 certs from StartCom. Does this fact mean that you are going to remove your GeoTrust root and only accept "High Assurance" certificates from now on? I doubt it, try doing it on your personal browser and see how far you get. > > In conclusion, I would not trust any Class 1 subscriber certificate > issued or signed by StartCom. I would recommend against including in a > Mozilla product any root or intermediate certificate used by StartCom to > sign its Class 1 subscriber certificates. > > As I indicated for CACert, those who really want the StartCom root or > intermediate certificates can always download and install them, thereby > assuming all risks without foisting those risks on Mozilla. > As long as the big CAs like Verisign, Thawte, and GeoTrust offer certificates that are less than thoroughly checked, or sign the root certs for CAs who offer them, I don't believe it is fair to exclude a CA soley on these grounds. At least with StartCom they actually use the terms "Class 1" and "Class 2" in the names of the Intermediate CAs so you can easily SEE which verification level a cert has received. I wish the big CAs did that. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
