Eddy Nigg (StartCom Ltd.) wrote: > Michael Ströder wrote: >> I agree with Eddy on this. When defining cert profiles for CAs I always >> take into consideration the set of relying participants. If the certs >> are to be used globally they SHOULD be readable to the international >> public like other international legal documents. This is not a technial >> issue. > > [..] For me left to add, that localized certificates are probably > fine for a limited set of users issued by a locally operating CA but not > for a product used internationally on the world-wide-web
Well, I think if the CA clearly states in its CP/CPS that the users (subscribers and relying participants) of the issued certificates SHALL be solely "local" users it does not matter whether Mozilla is a product used globally. But for most CAs issuing SSL/TLS certs this assertion can simply not be made. => The cert's content MUST be readable to the international public. >> For this particular attribute one should stick to the two-letter country >> code (ISO 3166) as defined in X.520 section 5.3.1. Note that RFC 3280 >> also refers to X.520 (1993) in this regard. > > Agreed! And I think that also in this regard we have to improve the > Mozilla CA policy and/or recommended practices for CAs. > This will be for the benefit of all sides, being it the relying party > (Mozilla, its users), the CAs and at last but not least it will > improve the standing of digital certificates generally. I agree here. When writing a cert profile / CPS I'm often grateful for any advice I can get from other clearly defined standards or policies. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
