> Only organizations participating in the DFN-PKI can get certs, and only > in their name. The rules about "applicable documents" are for OV (i.e. > verifying that an organization exists and is what they claim to be), and > seem pretty standard, if slightly vague.
I may add the following. I am an employee of a university that participates in the DFN PKI. In practical terms, the way to get a certificate is via a CSR sent from a Web interface that belongs to the local RA (which does not have signing power and is no sub-CA). Allowable domains are whitelisted. It IS possible to get a certificate for a domain outside the normal hierarchy; however the process is lengthy and involves direct contact with DFN-CA and demonstrating administrative control over the domain, especially in terms of WHOIS (must point to your affiliation). Whenever I go and collect an S/MIME certificate, BTW, I am required to attend in person and show my national identity card. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
