I want to emphasize that each and every value of certificate Subject have always been verified. It's wrong to say that those values are unverified. It is only a question about E verification method and quality. Our method has been to estimate visually by Registration Officer if each E value (or other subject value outside common group C,O,ST,L, streetAddress, postalCode) is correct for this Customer.
Registration Officer training has instructed which E values must be rejected. It is not possible to use visually similar kinds of characters because we technically restrict Subject characters to common ASCII characters (e.g. nulls are rejected). It is completely incorrect to claim that any values are added without validation. Since Feb 2018 Telia also techically prevents any other values than C,O,L,OU,E,CN from inserted to SSL certificates. Since that the simple visual verification has been valid only with OU and E (others have be very rare always). In addition all Telia SSL certificates have always been also post-examined (visually) after the enrollment to be absolutely sure that no incorrect subject values have passed our validation (second person evaluation). I understand your opinion that this kind of visual verification is not as strong as technical email verification with random codes. However, random code verification is not written to be required by BR. BR only states in 7.1.4.2.2.j: "All other optional attributes, when present within the subject field, MUST contain information that has been verified by the CA." In my opinion we have followed that requirement because we have had a verification method for those values; do you disagree? Next we are ready to stop adding E values completely to solve this issue permanently but we think it is not right to require us to revoke all our old E values. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
