Eddy Nigg (StartCom Ltd.) wrote: > Frank Hecker wrote: >> If you have further questions please feel free to ask them in the bug; >> I think Melanie Raemy of SwissSign is following the bug traffic but >> not the newsgroup discussion. > Obviously I don't want to bother at the bug if unnecessary...so I prefer > to follow up first of all here... > > First of all I realized that Gerv was already up to this issue in the > bug itself but didn't follow through entirely...Please see what I found > out, possibly correcting me if I'm wrong. There are currently two > separate issues which require clarification: > > 1.) > > The DC fields are not relevant for server certificates (browsers). > It's the CN field which matters...Now according to Melanies comment > at https://bugzilla.mozilla.org/show_bug.cgi?id=343756#c14 she mentions: > > "/DC= fields will only be accepted if a printout of the WHOIS entry > for the domain is included." (also part of 3.2.2) > > So if the printout wasn't provided the DC fields are being omitted > which doesn't have any effect on the browser which checks the CN > field. Whats also interesting is, why does the subscriber has to > provide the WHOIS records print instead of the CA fetching them by > themselfes as a third party information source? (The later just a > minor curiosity) > > Now also in the Gold CP/CPS under section 3.2.2 Authentication of > organization identity it says: > > "SwissSign validates that the person enrolling for the certificate > has control of the domain by requiring the > person to respond to an e-mail hosted at that domain." > > However according to this statement this can be *any* email address... > > 2.) > > The Silver CP/CPS omits any reference to domain ownership or > verification at all! Going through the entire document there is no > actual reference to server certificates (or whois/domain checks and > validations), but under > http://www.mozilla.org/projects/security/certs/pending/#SwissSign > they seem to request also server certificates trust bits set. > > > Again, I might have missed something here...if not I suggest that you or > me ask about clarification at the bug.
Eddy, please ask exactly those questions in the bug. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
