On Tue, Dec 30, 2008 at 3:27 PM, Frank Hecker <hec...@mozillafoundation.org> wrote: > I will say however that as a general matter I think it is good CA practice > to have standard procedures and associated IT systems for verifying domain > ownership/control and email account ownership/control, and to have resellers > either use the CA's own systems or use CA-approved equivalents. (For > example, reseller A might use the CA's own instances of such systems, while > reseller B might run the same software but on its own systems.) > > One reason I say this is "good CA practice" as opposed to a mandatory > requirement, is because of cases like enterprise PKIs where the enterprises > might act as RAs and do verification based on their own internal systems > (e.g., HR databases).
Ummm... has an enterprise PKI ever been included in Mozilla? Also, who's to say that domain ownership/control and email account ownership/control aren't authoritatively evidenced by internal systems (technically, all someone external can do is verify that someone has access to the the machine pointed to by the DNS, or can access the email, both of which rely on the capability of the actual owner to adequately secure their systems -- but if a policy is in place that only employees are authorized to have 'control' access to systems or email accounts within the domain then that business evidence is more authoritative. (In any case, enterprises that act as RAs are unlikely to be acting as RAs for domain-validation, they're much more likely to be operating as RAs for "entities authorized to operate on the enterprise's behalf". Which is a perfectly legitimate thing for them to do, as long as the bounds of trust are carefully defined and preserved through the client user interfaces. which they never are.) -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
