It can be confusing even for people following these things. That's where I
think collecting problem reporting info from audited sub-CAs in CCADB would
help.
For everyone else, finding the correct problem reporting information is
mostly a matter of luck. Perhaps we should require an email address be
included in the end-entity certificate? Unless that info was exposed in the
browser, it would still be difficult to find, but at least it would then be
in a consistent location.
It may be related to that bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1418451
The certificate or a easily accessible public database should contains
the information of who really is responsible for the issuance and
revocation of the certificate.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
