"the CA must not knowingly issue certs to entities who do not own the associated domains". (The language also has to address the question of agents who are authorized to get certs on behalf of the someone else;
Which as Duane points in the real world of SSL certificate is an excessively common occurence. I propose :
"the CA must issue certs only to an entity that have received authorization from the associated domains owner"
* For object signing certs the requirement should be something like "the CA must take reasonable measures to verify the identity of the
entity associated with the certificate"
Well I don't see why we don't want that for the other cases too ?
What I think we need for object signing certs is not to tie X-owned object signing certs to X-controlled domains, I don't think it makes too much sense, but an insurance that the CA will process external report that the software is acting badly, and accept to revoke it based on that input.
And Mozilla should be preconfigured to download CRL update from such CA. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
