Eddy Nigg (StartCom Ltd.) wrote:
No contradiction. Focus on the word "minimum". If you say you will do
no verification at all, and you actually do no verification at all,
you pass the audit.
That's right! But the audit confirms exactly that (in your example, no
verification). The CA will have to mark its certificates compared to its
policy which was audited accordingly.
Why will they "have to"? Who is the policeman? And, inevitably, there is
a certain amount of judgment involved in deciding whether a particular
set of practices meet a particular Mozilla "level". Who arbitrates when
there's a dispute?
Oh, you know that one ;-) :
http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/
And I've pointed out several times that this URL is factually
inaccurate, and bad reporting.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
