Ben Bucksch wrote:
Gervase Markham wrote:
If the checks were not performed properly by the CA, the CA is liable.
No. If they follow the guidelines, they disclaim liability.
Then the checks have been performed properly. You can't have it both
ways. The CA can't both "not perform the checks properly" and "follow
the guidelines".
They can, if
1) the guidelines are too weak
No. Even if the guidelines are "too weak" (by Ben Bucksch's definition),
if they are following them then they are by definition performing the
checks properly.
2) the guidelines only require a check to be *performed*, but it's not
performed *properly*.
What court of law would make that distinction? "Yes, Mr CA, we are going
to let you off because you performed all the checks and then ignored the
results, which is technically allowed by the standard."
2) a) You "check" data A by looking at it, and it's obviously wrong, but
you let it pass the check, because the clerk who did it is an untrained
monkey for $5/h who doesn't care a bit, and nobody holds him accountable
See above.
2) b) Or you check the address, but the source where you checked it
again was wrong, and you *know* it's a weak, but cheap/convenient source.
They are still performing the checks properly and following the guidelines.
But this is a pointless semantic discussion. Either the guidelines are
binding or they aren't. If they are binding, the CA will follow them or
be liable. If they are not, then what makes them not binding? After all,
all the CAs are writing them into their CPSes.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
