Ian G wrote:
Nelson B wrote:
My guess would be that a CA that has been certified BY THE GERMAN
GOVERNMENT
for compliance with their laws would be suitable for inclusion in mozilla
as an EMAIL CA only.
What is your logic for limiting it to email only?
The relevant standards are setup for issuing certs to individuals,
enabling those individuals to create signed documents, e.g. emails.
The relevant standards (that I have seen) address pre-issuance verification
of things needed to issue simple signing cert to inviduals. They do not
seem to address the stronger verification requirements for SSL server certs,
which seems to be because SSL doesn't produce a signed document.
Now imagine a system named SMTP-MTA.com, which is a mail server, including
(say) IMAPS, and imagine that I have an email address ([EMAIL PROTECTED]).
Now imagine that I request a cert that includes a DNSname of SMTP-MTA.com
and an RFC822address of [EMAIL PROTECTED] If the CA issues a cert with
those names, and without extensions limiting the use to precluse SSL
server use, and if mozilla has chosen to trust this CA for SSL, then that
cert will be a valid SSL server cert, as far as mozilla is concerned.
Given that (as I understand it) these new EU CAs are not trying to issue
SSL server certs, why should mozilla trust their certs for SSL servers?
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
