On 2010-06-10 10:45 PDT, Martin Rex wrote: > Nelson B Bolyard wrote: >>> CAs vouch and are liable for every single bit in the ToBeSigned part >>> of a certificate, no matter what stupid things they claim in any weird >>> and ineffective "certificate practice statement" (CPS). >> I think you'll find that lots of lawyers disagree. To the contrary, they >> would claim that the expectation that CAs do anything other than what their >> CPSes say is the stupid part. In most jurisdictions, there's no law that >> says what CAs must do, so CAs are bound by contract, and the contracts all >> cite the CPSes. > > It is the CAs who asked the browser vendors to ship their certs > preconfigured as trusted!
Yes, the browser vendors review the CPSes and determine whether those CPSes meet their minimum requirements or not. Presently the browsers (well, some of the browsers) do not display the values of the attributes that are known not to be vetted by numerous CAs in the main site identity display. (Those attributes may be displayed if the user brings up a dialog that views the entire certificate). > How many "certificate practice statements" (CPS) have you had to click > through before your browser allowed you to establish a TLS-protected > communication? > > For every user, where the count is "none", there is _no_ CPS in effect. You're welcome to that opinion. _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
