On Wed, Apr 19, 2017 at 10:41:33PM +0000, Peter Gutmann via dev-security-policy wrote: > Kurt Roeckx via dev-security-policy <email@example.com> > writes: > > >Both the localityName and stateOrProvinceName are Almere, while the province > >is Flevoland. > > How much checking is a CA expected to do here? I know that OV and DV certs > are just "someone at this site responded to email" or whatever, but for an > EV cert how much further does the CA actually have to go?
For the EV cert we got we got a phone call asking if she could speak to someone else to confirm that he works there. That also wasn't what I expected. I expected that they would at least check that he has the authority to do so, like asking the CEO. (It was a code sign certificate, but I expect if it's labeled EV that the same things apply.) Kurt _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy