Eddy Nigg (StartCom Ltd.) wrote, On 2008-03-15 13:27 PDT: > 3.) Here a few questions in relation to the LiteSSL CPS: > > * 1.12 states: "Because LiteSSL and LiteSSL Wildcard certificates > are not intended to be used in an e-commerce transaction or > environment, parties who rely on a LiteSSL or LiteSSL Wildcard > certificate do not qualify as a relying party." How can a relying > party NOT be a relying party? This is also confirmed under section > 4.11.
Wow! I'd say that a CA that says "You cannot rely on our certs for eCommerce" should not be trusted for SSL by default in Mozilla products! Of course, that's a policy issue. Frank, what do you think? > * 4.1 states that the enrollment process MAY include check for > domain ownership. This means that the checks can be omitted? A good question. > * 2.4.7 states that LiteSSL certificates are (maybe) domain name > validated only, but also issues wild card certificates (2.4.1). > How does Comodo prevent or control misuse of wild card > certificates, specially in relation to phishing attempts? Well, presumably, the wildcard certs they issue are valid for multiple names within the domain that they validated only. The then rely on the subject party to use the certs only in the servers that they control in that domain. But that last statement is true of all CAs. All CAs depend on the subject parties to control the use of the certs issued to them, and the CAs can revoke the certs if they find that the certs have not been adequately controlled. So, this particular part doesn't bother me, AS LONG AS they really are domain validated. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
