Eddy Nigg (StartCom Ltd.) wrote: > Therefore I'd like to request clarification and verification about how > domains are validated by the RAs, since the CPS isn't clear in that > respect. <snip> > Refence is 3.1.8 from the CPS: > > Registration Authorities operating under the Entrust SSL Web Server > Certification Authorities > shall determine whether the organizational identity, address, and domain > name provided with an Entrust > SSL Web Server Certificate Application are consistent with information > contained in third-party databases > and/or governmental sources.
This language and other language in section 3.1.8 seem pretty standard to me; I've seen language like it in lots of CPSs. As I read it, RAs get various identity-related documents from applicants and cross-check that information against various databases, including checking the association between domain name and organizational identity, to make sure there are no inconsistencies (e.g., the domain name isn't registered to someone else). The CPS requires RAs to take "commercially reasonable efforts" in doing this. Compare this to what our policy requires ... for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf The policy doesn't specify exactly how this verification is to be done, only that the measures be "reasonable". In the US and Canada (where Entrust is based) the term "commercially reasonable" as used in the Entrust CPS means something like "what a reasonably prudent business person would do in similar circumstances"; this level of effort is consistent with our intent in the policy. Maybe I'm being dense, but I don't see what the issue is here. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
