On 19/05/16 20:26, Peter Kurrasch wrote: > My recommendation is for Mozilla to reject this request from Symantec > on the grounds that it is unnecessary. As others have pointed out > recently, the chief function of a CA is to certify identity. That > certification should be ably met with the regular cert issuance > procedures rendering the EV procedures superfluous.
You have this the wrong way around. Mozilla's position (de facto, I guess) is that anything short of EV is not sufficient validation of identity. Which is why we don't present it in the UI. So yes, an important function of a CA is to certify identity, and that's precisely why we have EV. > That, or perhaps > the CA knows of certain weaknesses in the regular identification > process that have been remedied for the EV process? Perhaps EV is a > way of saying, "No, seriously you guys, this time we really, really > identified the cert applicant." You would need to ask individual CAs about the way that they market and validate their non-EV certificates which purport to contain identity information. (They usually call this "OV".) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy