Nick Lamb <tialara...@gmail.com> writes: >In practice then I think we should try to ask local experts (ie people at >least resident in the relevant country) when trying to judge whether the >Locality and State elements of a Subject DN are acceptable for identifying >the actual Subject unless it is very obvious (as with the 'test' example) >that they are could not be.
I don't even think we need to do that, particularly as certs are used on the web. The only thing that matters there is the name of the resource it's bound to, e.g. web server name, mail server name, whatever. So you pay attention to the CN (or altName equivalent), and the rest is irrelevant. For the little other use that certs get, the government body that's behind their use (or, occasionally, a corporate) decides what goes in each of the DN components. They define the use, and typically issue the certs, so they can specify whatever they want for the DN. It's been like this for 20-odd years now, I don't see any great need to change it. Sure, X.500 doesn't work, but people are pretty adaptable. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy