I don't so much have a problem with the change but I would like to know if this is fairly common across other cert issuers?
Personally I'm of the opinion that email is inherently insecure which makes it a bad mechanism to use in the course of trying to establish trust. However, my concern at the moment is the use of privacy services to obscure the actual owner/registrar of the domain. I see no reason to believe such services are any more trustworthy than the email channel. In fact it seems to me that those services are the weakest link in the chain. The implication is that only method 1, below, should be employed. However, if everyone else is also employing method 2 I don't want to single out SECOM unfairly. Original Message From: Kathleen Wilson Sent: Tuesday, December 1, 2015 11:34 AM > Here is the text that was added to the CP: > ~~ > The authentication method is as follows: > 1. Using the WHOIS registry service, SECOM Trust System verifies that > the relevant subscriber owns the domain to which the Certificate pertains. > 2. Should the owner of the domain be different from the subscriber, > SECOM Trust Systems authenticates the domain by having the domain owner > submit to SECOM Trust Systems a document granting subscriber the > permission to use the domain or by sending a verification e-mail to the > e-mail address of the domain owner registered in the WHOIS registry > service. > ~~ > > If everyone is OK with this, then I will proceed with recommending > approval of this request to enable EV treatment for the "Security > Communication RootCA2" root certificate. > > I will also track an action item to ensure that SECOM adds the updates > in the translated version of their CP back to the original CP. > > Kathleen > Thanks again to everyone who reviewed and commented on this request from SECOM to enable EV treatment for the "Security Communication RootCA2" root certificate. I am now re-closing this discussion and will recommend approval in the bug. In parallel, I will also track the action item for SECOM to update their original CP according to the changes they drafted in the English version. https://bugzilla.mozilla.org/show_bug.cgi?id=1096205 Any further follow-up on this request should be added directly to the bug. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
