* Gervase Markham: > Florian Weimer wrote: >> By the way, much of this could be sidestepped if CAs were required to >> publish all the evidence they have gathered together with the EV >> certificates they issue (in a complete list of certificates, not just >> those certificates that are actually used on popular sites). This >> way, everyone could review the strength of each CA's EV process. The >> peer pressure should be sufficient to ensure that everyone keeps their >> backyards clean. > > An interesting idea; but wouldn't there be confidentiality problems?
Sure, but that's the point. The exact procedure a CA is following is a significant business asset because you want to do as little as possible and get away with it (in all senses: PR, liability, compliance with regulations etc.). If you mean subject confidential information, than I share your concern to some extent. > Some of the things CAs might need to check might be things which a > company quite reasonably does not want to be made public. In such cases, the CA can still document the type of information, and the reason why it is not published. This is still much better than not publishing anything. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
