* For object signing certs the requirement should be something like "the CA must take reasonable measures to verify the identity of the
entity associated with the certificate"
Well I don't see why we don't want that for the other cases too ?
I already addressed this, although I understand some people may not agree with my rationale: As I noted previously, personal identity per se is not central to the use of email, and IMO it is perfectly legitimate to have a use case where, for example, I can begin exchanging signed and encrypted email with [EMAIL PROTECTED] based on a) my prior dealings with [EMAIL PROTECTED] using non-secure email (to which the additional use of signed and encrypted email is a natural extension) and b) the assurance of a CA that the person who was issued the email cert with email address [EMAIL PROTECTED] is the same person controlling the email account for [EMAIL PROTECTED]
I realize that some believe that this scenario is somehow insecure (and hence should be avoided entirely) in the absence of a known real-world identity that I can attach to [EMAIL PROTECTED] (and that he/she can attach to me), but I just don't accept that argument.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
