I took a look at parts of Certainly's CP/CPS. I'm happy to see Certainly use a combined CP/CPS. However, section 3.2.2 says:
"Certainly validates domain control primarily in an automated fashion using the ACME protocol. In exceptional cases control may be validated using methods similar to those employed by ACME, but performed manually." The BRs permit the ACME methods. The BRs do not permit CA-invented methods that are "similar to" ACME methods. This is the same as the forbidden "any other method of confirmation", and relies on trusting the CA's judgment that the methods "similar to" the allowed methods are as secure as the allowed methods themselves. It should be very clear that the BRs no longer permit CAs to make this judgment call. I agree with Sleevi: Mozilla should not extend trust to a new organization until it completes the normal, full review process. As shown by this security-critical omission by GoDaddy, Mozilla cannot rely on the "due diligence" of another CA to substitute for Mozilla's own process. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220221130636.66e7fd6bf27ba2442639a79c%40andrewayer.name.
