On 12/30/2008 08:39 PM, Kai Engert:
Eddy Nigg wrote:
On 12/28/2008 01:13 PM, Kai Engert:
The current Mozilla CA Certificate Policy says:
"6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ..."
Kai, just to counter Ian's reply:
The objective of the Mozilla CA policy is to provide sound, reliable
and in this context reasonable security for its users.
This is anchored clearly in the Mozilla Manifesto as a principal and
further described and defined in the Mozilla CA Policy what PKI and
CAs concerns. The Mozilla CA Policy is clear in its requirements,
*intend* and what it is meant to achieve. All the rest is just
throwing sand into ones eyes.
In this respect section 7 of said policy clearly states what the
requirements are. CAs may find different ways to achieve and conform
to those requirements, however it should not lead to a compromise of
those requirements. Personally I wouldn't outsource domain control
validation but incorporate it into the general process of certificate
issuance. In case it is delegated, the third party must provide
attestation of their conformance. I think this is what you were
proposing...
I edited the Problematic Practices page and added
https://wiki.mozilla.org/CA:Problematic_Practices#Delegation_of_Domain_.2F_Email_validation_by_third_parties
It might need some improvement. Frank, can you review? This will affect
obviously only future inclusion requests and is not a resolution to the
current issue and other CAs which might be affected.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
