On 2017-12-09 at 08:59 -0700, Wayne Thayer wrote:
> It can be confusing even for people following these things. That's where I
> think collecting problem reporting info from audited sub-CAs in CCADB would
> help.
> 
> For everyone else, finding the correct problem reporting information is
> mostly a matter of luck. Perhaps we should require an email address be
> included in the end-entity certificate? Unless that info was exposed in the
> browser, it would still be difficult to find, but at least it would then be
> in a consistent location.

Rather than an email, I think it should be a url. That could be an email
through the use of mailto:, but I suspect CAs will find preferable to
provide a web page where they explain what it is for, how to submit,
etc.

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to