On Fri, Apr 13, 2018 at 12:39:27AM +0000, Tim Hollebeek via dev-security-policy wrote: > > Independent of EV, the BRs require that a CA maintain a High Risk > Certificate > > Request policy such that certificate requests are scrubbed against an > internal > > database or other resources of the CAs discretion. > > Unless you're Let's Encrypt, in which case you can opt out of this > requirement via a blog post.
If you're referring to https://letsencrypt.org/2015/10/29/phishing-and-malware.html, I don't see anything in there that says "we refuse to comply with the BRs with regards to High Risk Certificate Requests". It even describes in significantly more detail than I can find in DigiCert's CP/CPS, the process by which Let's Encrypt performs those checks. If you have another post in mind, please feel free to reference it. At a higher level, I'm not sure it's wise for a CA representative to be taking snarky potshots at another CA's practices. You're kinda painting a target on your chest. Something something glass houses, something something plank from your own eye something something. - Matt _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy