On 12/28/2008 01:13 PM, Kai Engert:
The current Mozilla CA Certificate Policy says:
"6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ..."
Kai, just to counter Ian's reply:
The objective of the Mozilla CA policy is to provide sound, reliable and
in this context reasonable security for its users.
This is anchored clearly in the Mozilla Manifesto as a principal and
further described and defined in the Mozilla CA Policy what PKI and CAs
concerns. The Mozilla CA Policy is clear in its requirements, *intend*
and what it is meant to achieve. All the rest is just throwing sand into
ones eyes.
In this respect section 7 of said policy clearly states what the
requirements are. CAs may find different ways to achieve and conform to
those requirements, however it should not lead to a compromise of those
requirements. Personally I wouldn't outsource domain control validation
but incorporate it into the general process of certificate issuance. In
case it is delegated, the third party must provide attestation of their
conformance. I think this is what you were proposing...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
