Ok, now i get the point.
Regarding the first bullet point:
Our current approach is to check the organisation as described. This is very
restrictive and maybe not practical at all, but was intentional. We will
recheck the bullet point and adopt it if necessary.
Regarding the second bullet point:
You are right. It is to permissive compared to the CAB forum requirements.
But also please note, we inculded the CAB forums requirements in clause 266,
which restricts these and f.e. ensures that the applicant either is the domain
name registrant or has control over the FQDN (CAB 11.1.1).
Our current approach is to check if the requestor is allowed to request the
certificate as well, to comply to the CABForum requirements.
However, we will recheck the complete clause and adopt it to make this part
more clearly, if necessary.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
