Eddy Nigg wrote:
On 02/10/2009 04:25 PM, Yannick LEPLARD:
<snip>
RA operators must obtain guarantee than the e-mail address is owned by
the
requester.
It's difficult in fact to make such controls.
Email validation isn't too difficult to implement, however we have seen
various times that this isn't done sufficiently or correctly.
Note that the official Mozilla policy doesn't attempt to dictate exactly
what mechanisms a CA uses to verify ownership of email addresses, it
simply requires that "the CA takes reasonable measures" to verify this.
We can quibble about whether particular measures are "reasonable" or
not. However traditionally the major concerns we've had were with CAs
that did not have any CPS or CP language at all about verifying email
addresses.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
