On Thu, May 19, 2016 at 02:26:15PM -0500, Peter Kurrasch wrote: > My recommendation is for Mozilla to reject this request from Symantec on > the grounds that it is unnecessary. As others have pointed out recently, > the chief function of a CA is to certify identity. That certification > should be ably met with the regular cert issuance procedures rendering the > EV procedures superfluous. That, or perhaps the CA knows of certain > weaknesses in the regular identification process that have been remedied > for the EV process? Perhaps EV is a way of saying, "No, seriously you > guys, this time we really, really identified the cert applicant."
Huh? There are different degrees of identity verification that can be undertaken (identity of the server, identity of the applicant), and those are valid and useful distinctions. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
