Florian Weimer wrote:
By the way, much of this could be sidestepped if CAs were required to publish all the evidence they have gathered together with the EV certificates they issue (in a complete list of certificates, not just those certificates that are actually used on popular sites). This way, everyone could review the strength of each CA's EV process. The peer pressure should be sufficient to ensure that everyone keeps their backyards clean.
An interesting idea; but wouldn't there be confidentiality problems? Some of the things CAs might need to check might be things which a company quite reasonably does not want to be made public.
Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
