I think a broad definition is appropriate here. Mozilla is not obliged to do 
anything at all, much less anything drastic if it is discovered that 
mis-issuance has occurred. At most we might think it time to re-evaluate this 

Fools are endlessly inventive so a too narrow definition runs the risk of 
missing something so obvious that when inevitably a CA gets it wrong we're 
astonished to find it's not included.

One risk I do anticipate is CAs which have inadequately bound together separate 
validation steps, such as where a domain validation was done by an applicant, 
and a CSR proving control of a particular private key has been presented by an 
applicant, but it turns out they weren't actually the same applicant, so it 
will be an error to issue a certificate binding the two together.
dev-security-policy mailing list

Reply via email to