At 10:48 AM -0700 6/8/10, Nelson B Bolyard wrote: >There are a large number of CAs that follow the practice of vetting SOME >of the information they put into cert subject names, but not all, and in >fact deliberately making no attempt to vet certain attributes at all. > >Examples known to me include: > >OU names: typically not vetted at all > >CNs other than the last (most specific) one, if it is a DNS name. > >Maybe it's pointless to try, but can we write into this RFC that conforming >certs contain NO unvetted attributes in the subject name nor in any Subject >Alt Name attributes?
Their vetting practices are supposed to be listed in their CPSs, so a CA can always say "we do exactly what we say we do" because they know that no one reads (or can read) their CPS. Having said that, including this practice as a warning in the document seems like a good idea. _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
