A bit of philosophical question here: Certificates are pretty much universally described in PKI texts and the like as a cryptographic binding between an identity and a key, in other words an assertion by the CA that the key in the cert is associated with the identity in the cert.
If there's no requirement to verify that this is the case by CAs issuing certificates, doesn't this make what they're producing a non-certificate? This isn't snark, it's a genuine question: If the CA isn't checking that the entity they're certifying controls the key they're certifying, aren't they then not acting as CAs any more? Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
