On 12/31/2008 01:27 AM, Frank Hecker:
One reason I say this is "good CA practice" as opposed to a mandatory requirement, is because of cases like enterprise PKIs where the enterprises might act as RAs and do verification based on their own internal systems (e.g., HR databases).
I think this is what we want to avoid actually, don't we? Or perhaps we could leave it as is, since the Mozilla CA Policy is actually clear in relation to validations.
Incidentally I had previously a problem with Microsoft's policy to disallowing certain enterprise scenarios, hereby it might make some sense. But even then, the proposal would actually call for an attestation, whereas the attestation itself hasn't been defined yet. I think this is what also Kay proposed.
Now, we must not forget what an RA is, what a reseller is and what an enterprise scenario is. RAs are interesting for the verification and validation of identity documents in person for example. Or organizations for that matter. Since RAs always have to interact with the CA at some point, I believe incorporating domain/email validation is more than easy. Even in enterprise settings is that possible.
Resellers should not perform any validation procedures at all. They should sell certificates and not be involved with any of the technical sides of he procedures. Reseller != RA.
As such, I believe that it would be good to improve the Mozilla CA Policy and work towards better definitions and requirements. Even if the validation aspect is clearly defined and *required*, we might exclude certain practices outright. There are of course other points I'd like to have improved.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
