I think a broad definition is appropriate here. Mozilla is not obliged to do 
anything at all, much less anything drastic if it is discovered that 
mis-issuance has occurred. At most we might think it time to re-evaluate this 
policy.

Fools are endlessly inventive so a too narrow definition runs the risk of 
missing something so obvious that when inevitably a CA gets it wrong we're 
astonished to find it's not included.

One risk I do anticipate is CAs which have inadequately bound together separate 
validation steps, such as where a domain validation was done by an applicant, 
and a CSR proving control of a particular private key has been presented by an 
applicant, but it turns out they weren't actually the same applicant, so it 
will be an error to issue a certificate binding the two together.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to