Paul Hoffman wrote:
At 10:48 AM -0700 6/8/10, Nelson B Bolyard wrote:
There are a large number of CAs that follow the practice of vetting SOME
of the information they put into cert subject names, but not all, and in
fact deliberately making no attempt to vet certain attributes at all.
Examples known to me include:
OU names: typically not vetted at all
CNs other than the last (most specific) one, if it is a DNS name.
Maybe it's pointless to try, but can we write into this RFC that conforming
certs contain NO unvetted attributes in the subject name nor in any Subject
Alt Name attributes?
Their vetting practices are supposed to be listed in their CPSs, so a CA can always say
"we do exactly what we say we do" because they know that no one reads (or can
read) their CPS.
Having said that, including this practice as a warning in the document seems
like a good idea.
+1
spt
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
