On 2017-12-09 at 08:59 -0700, Wayne Thayer wrote: > It can be confusing even for people following these things. That's where I > think collecting problem reporting info from audited sub-CAs in CCADB would > help. > > For everyone else, finding the correct problem reporting information is > mostly a matter of luck. Perhaps we should require an email address be > included in the end-entity certificate? Unless that info was exposed in the > browser, it would still be difficult to find, but at least it would then be > in a consistent location.
Rather than an email, I think it should be a url. That could be an email through the use of mailto:, but I suspect CAs will find preferable to provide a web page where they explain what it is for, how to submit, etc. _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy