Eddy Nigg (StartCom Ltd.) wrote:
to add the new OIDs.
Yes, this is the only requirement really.
Actually, not even that is necessary. Classes each have their own root
cert, so we can simply match root certs to level in our software, using
a list that is just as hardcoded as our root certs, and matches the
assigned levels.
In fact, if I wanted to do that in Beonex, I could implement Eddy's
proposal plus UI all in JavaScript. I simply match the root cert name or
ID with a hardcoded list, and if it's VeriSign's Class 3 or StartCom's
Class 3, I show the realname and address in the UI, because I know they
check these properly, and otherwise I won't do anything special. Just as
example.
But EV is backed up by audit. Eddy's proposal is not.
Utter nonsense! All CAs get audited according to their policies and
practices.
Right. As you said yourself, Gerv, CAs are audited based on their public
(and closed) policies. If VeriSign publically states that they'll verify
the street address via this-and-that means for Class 3, and they have a
WebTrust audit, then you can consider street address verification being
audited for Class 3. This is true already, today. All that Eddy's
proposal changes, really, is to make these policies machine-readable.
--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
