Frank Hecker wrote: > I'll assume for now that the answer is "no", and that having our policy > specifically address the "knows otherwise" case is both possible and > desirable.
> Again, I don't know, but I'll > assume for now that the answer is "no", and that having the policy > specifically address the "CA knows otherwise" case is desirable, > although doing so is not as straightforward as in the "knows otherwise" > case. So on to the final case... I think the first 2 can be lumped together, but different in the reasoning you gave, I don't think you can have security without some way to identify a certificate to a person/organisation/website etc. What I mean by this even simple email pings to verify the person has some kind of link to the domain. So in both the first 2 cases no form of vetting occurs or is blatantly ignored and this is as you put it completely open to exploits/social engineering etc, and "a very bad thing(tm)" as it would be worst for general user security then any possible benefit for a minority (namely scammers and spammers), so I agree in whole with your summary that both should be excluded from inclusion even if they have passed an audit... > Now let's see if I can crank out the next message right away, and not > keep you all in suspense :-) I'll save comment for your third email... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
