Nelson B Bolyard wrote: > > > CAs vouch and are liable for every single bit in the ToBeSigned part > > of a certificate, no matter what stupid things they claim in any weird > > and ineffective "certificate practice statement" (CPS). > > I think you'll find that lots of lawyers disagree. To the contrary, they > would claim that the expectation that CAs do anything other than what their > CPSes say is the stupid part. In most jurisdictions, there's no law that > says what CAs must do, so CAs are bound by contract, and the contracts all > cite the CPSes.
It is the CAs who asked the browser vendors to ship their certs preconfigured as trusted! How many "certificate practice statements" (CPS) have you had to click through before your browser allowed you to establish a TLS-protected communication? For every user, where the count is "none", there is _no_ CPS in effect. -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
