Nelson B wrote:
In a recent post, someone here attempted to defend the practice of using insecure email as the sole means of confirming the legitimacy of a request for an SSL server certificate. I'm here to challenge that. I think it's SO BAD a practice, in fact, that I think mozilla should specifically say, in the policy, that that's not good enough for a CA that is admitted to mozilla's trusted root list. I am not targetting any particular CA here. I think this is a matter of policy for all CAs.
There are two paradigms:
a) An identity exists as a meta-category, and someone or something has to ensure that the certificate is issued with a name that without any possibility of doubt or error maps to that meta-identity.
b) A certificate has a unique identifier (a "name") and all that the certificate ensures is that the combination of certificate issuer identification and the name associated with the certificate is unique.
Paradigm (a) is naive and will never work in practice.
Paradigm (b) is what we must accept and learn to work with.
CD Rok
_______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
