Am 2013-10-04 08:57, schrieb Florian Weimer: > Section 3.2.2 in the current DFN-PKI CP (version 3.0) opens the door > for government-sponsored interception certificates because the > language does not require that the future certificate owner controls > the domain name or has been authorized by the domain owner. It only > requires a right to use asserted by applicable documents, including > documents issued by unnamed government agencies.
Only organizations participating in the DFN-PKI can get certs, and only in their name. The rules about "applicable documents" are for OV (i.e. verifying that an organization exists and is what they claim to be), and seem pretty standard, if slightly vague. The right to use a domain name is very different from the right to intercept traffic to a domain. I see nothing there that would even remotely indicate willingness to issue intercept certificates. Kind regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention "FROM NG" in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
