On Fri, Apr 13, 2018 at 12:39:27AM +0000, Tim Hollebeek via dev-security-policy 
> > Independent of EV, the BRs require that a CA maintain a High Risk
> Certificate
> > Request policy such that certificate requests are scrubbed against an
> internal
> > database or other resources of the CAs discretion.
> Unless you're Let's Encrypt, in which case you can opt out of this
> requirement via a blog post.

If you're referring to
https://letsencrypt.org/2015/10/29/phishing-and-malware.html, I don't see
anything in there that says "we refuse to comply with the BRs with regards
to High Risk Certificate Requests".  It even describes in significantly more
detail than I can find in DigiCert's CP/CPS, the process by which Let's
Encrypt performs those checks.  If you have another post in mind, please
feel free to reference it.

At a higher level, I'm not sure it's wise for a CA representative to be
taking snarky potshots at another CA's practices.  You're kinda painting a
target on your chest.  Something something glass houses, something something
plank from your own eye something something.

- Matt

dev-security-policy mailing list

Reply via email to