On Mon, Oct 27, 2014 at 10:58 AM, John Nagle <na...@sitetruth.com> wrote: >> On 27/10/14 08:16, Ryan Sleevi wrote: <snip> If you're trusting >> certificates to assert information about either the identity of the >> entity behind the key or that the CA has done due diligence, well, >> you're using certificates for something they're neither intended for >> nor well suited for, so you'll have a bad time. > > In May 2012, when this was last discussed, that was a reasonable > position. There have been some changes in standard CA practice since then.
Yes, however there are plenty of certs still in use that are unexpired which don't follow these "standard" practices. Specifically, from the CT logs, 139935 certificates that are unexpired meet the following criteria: - Do not have a State/Province or Locality Name in the Subject - Have the same string for Organization and Common Name in the subject The string used for the Organization Name appears to be a fully qualified domain name in the certificates that I checked. I trust that this practice is not happening in new certificates, but thousands of existing certificates clearly have Organization Name attributes that are not usable. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
