I recognize that this is a discussion of the merits of this policy change. I agree with this change, because changing legal names is a very expensive and involved process (much more so for corporations, but also for individuals).
I do need to ask about a connected issue, though, related to why this is even an issue in the first place. Where could I propose that the jurisdiction of the name's registration (for corporations in US, the ST= and C= fields of the Subject DN) be displayed in the EV notice bar? Corporate names tend to be unique among each place of registration (and they legitimately -are-, in US states). This isn't the place to make a full case for such a change, but I am asking to know where such a proposal and full case could be made. Thanks for your help. -Kyle H On Thu, Oct 7, 2021, 19:07 Ben Wilson <[email protected]> wrote: > All, > > This email is the first in a series of discussions concerning the next > version of the Mozilla Root Store Policy (MSRP), version 2.8, to be > published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) > > Issue #129 <https://github.com/mozilla/pkipolicy/issues/129> in GitHub > proposes that we add a policy of non-discrimination to the MRSP. > > This particular issue arose from discussions of whether CAs should be > allowed to arbitrarily refuse to issue or to revoke certificates. (The > situation involved an EV certificate for Stripe, Inc., of Kentucky, > https://groups.google.com/g/mozilla.dev.security.policy/c/NjMmyA6MxN0/m/asxTGD3dCAAJ). > Many of you argued that CAs should objectively and non-arbitrarily apply > the issuance and revocation standards of the CA/Browser Forum. The full > discussion can be read in the email thread referenced above, so I'll forego > any attempt to recap. > > Potential policy language can be paraphrased from the suggestion made in > Issue #129, which was to base language on ETSI 319 401--"Practices under > which the CA operates SHALL be non-discriminatory. The CA SHALL make its > services accessible to all applicants who meet the requirements and agree > to abide by their obligations as specified in the CA's terms and > conditions." Alternative wording might be something like, "Decisions not > to issue or to revoke a certificate should be based on the unbiased > application of the CA/Browser Forum's requirements using the objective > criteria stated therein," OR "CAs shall apply the CA/Browser Forum’s > issuance and revocation requirements in a non-arbitrary manner." > Is a variation of the language above sufficient? What do you suggest as > language? Should it be inserted somewhere in section 2 > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#2-certificate-authorities> > of the MRSP? > > Thoughts? > > Thanks, > > Ben > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab-g%2Bnp5xk_YaoKo%3D5QXkLk4zA6oscd6iBARhdnfo6ycw%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab-g%2Bnp5xk_YaoKo%3D5QXkLk4zA6oscd6iBARhdnfo6ycw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADgtLZ6E3VsA6pdUqoB2Db9-MDf-%2B6z6%2BOVOHbzW-bCDMP43hQ%40mail.gmail.com.
