Heikki Toivonen wrote: > Eddy Nigg (StartCom Ltd.) wrote: > >> WebTrust or not, is not a function here! But an audit confirms the >> procedures and controls in place. The policy and practices of the CA are >> the basis of this assessment, which is publicly available! Therefor they >> are not secret and proprietary, which was your original wrong statement! >> And yes, the policy and practices define the quality of those procedures! >> > > I am under the impression that the policies and practices are actually > not publicly available. Can you provide links that document these for > some common CAs, to the level described in the EV cert draft? > For a starter try this: http://www.hecker.org/mozilla/ca-certificate-list Next try the Authorities Certificate store of your Firefox browser And at last, try uncle Google...
BTW, it is common to place the CA policy in a prominent place on the CA web site, after all, this is part of the legal contract between the CA - subscriber and relying party. In theory a user (RP) should read the CA policy of the issuing CA before trusting a certificate, otherwise how should he know about the verifications performed or any other procedure a CA promises? Obviously, this is not very practical, hence our proposal for a simplified but improved UI change! Hope this answers your question... -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
