Lately I've been busy exploring various CP/CPS of different CAs which started with the inclusion and update request of Comodo. I searched for more incidents where CAs issue domain validated wild card certificates and domain validated certificates with validities for ten years. I was pointed to GoDaddy and could confirm them having such certificates as well.
To my surprise I also found Thawte's CPS at section 11.2.1 (page 110) at https://www.thawte.com/ssl-digital-certificates/free-guides-whitepapers/pdf/Thawte_CPS_3_5.pdf and Verisign's CPS at section 15.4.2 at http://www.verisign.com/repository/CPS/VeriSignCPSv3.5.pdf has similar stipulations for DV certs. In light of what I've found recently, we decided at StartCom that it's time to counter these practices with something better than that. As of today we'll issue intermediate CA certificates for free through our website, which are of course strictly domain validated. The intermediate CA certificates are also valid for ten years and allow webmasters to integrate our certificate wizards into their web sites, which in turn allows the creation of domain validated certificates, signed by the respective sub ordinated CA root. Of course everything is operated at our own infrastructure and completely secure, except that the sub CA certificates are not stored in the HSM because we don't have space for the many keys we expect. Frank, I guess this isn't problem with you, as the Mozilla CA policy has no requirements or conditions in that respect. I just thought I get your advice before making a press release public. Oh, and of course we'll update our CPS accordingly once I get some more time for it...it has been a rush here lately. Everything under the banner: "If you can't beat them, join them" :-) -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
