I'd like to explore how "Notification shall be made in an authenticated and trusted manner". Kathleen's wiki page says to send email to [email protected] or file a bug. How would Mozilla determine that the request was legitimate?
I suspect that Mozilla already maintains a short list of contacts for each CA. Only they (or some selected subset of them) should be able to report a revocation. Mozilla should have some other means of authenticating them. Maybe you have a cell phone number for each, which you will call to validate the request. >From the CA's perspective, I'd like this process to work the same for Apple, >Microsoft and any other trusted root operator. I urge Mozilla to work with >these other companies to come up with a unified standard. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
