Small clarification...It has been pointed out to me, that the section
below is somewhat confusing and I want to clarify it:
The idea is, that Mozilla defines clearly in the Mozilla CA policy,
which level has which requirements concerning the verifications to be
performed - the CA doesn't make that decision. However the CA checks
with its own procedures and assigns the appropriate level to the various
certificates it issues. This shall be the responsibility of the CA, the
same way the CA today has to adhere to the minimum requirements of the
Mozilla CA policy at any time and its own CA policy and practices.
Cheating on that (assign a higher level to a certificate) should provoke
the same action as non-adherence to the Mozilla CA policy.
Eddy Nigg (StartCom Ltd.) wrote:
*Implementation:*
The Mozilla CA policy will be extended to include the above described
definitions. Levels can be assigned by the CA within the subscriber
certificate with a specially defined OID by using for example the
Mozilla OID space. In this proposal we suggest to leave the definition
of levels to the CA, as in any case the CA defines its verification
procedures in its own policies.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
