I think a broad definition is appropriate here. Mozilla is not obliged to do anything at all, much less anything drastic if it is discovered that mis-issuance has occurred. At most we might think it time to re-evaluate this policy.
Fools are endlessly inventive so a too narrow definition runs the risk of missing something so obvious that when inevitably a CA gets it wrong we're astonished to find it's not included. One risk I do anticipate is CAs which have inadequately bound together separate validation steps, such as where a domain validation was done by an applicant, and a CSR proving control of a particular private key has been presented by an applicant, but it turns out they weren't actually the same applicant, so it will be an error to issue a certificate binding the two together. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
