On 27/10/14 08:16, Ryan Sleevi wrote: <snip>
If you're trusting certificates to assert information about either the identity of the entity behind the key or that the CA has done due diligence, well, you're using certificates for something they're neither intended for nor well suited for, so you'll have a bad time.
Ryan, you are of course free to reach your own conclusions about what certs are / aren't well suited for.
However, I'm utterly baffled by your claim that certificates aren't intended to "assert information about...the identity of the entity behind the key". That claim is true for DV, but it's clearly false for EV and OV.
As for due diligence, BRs Section 11.2 clearly says that CAs are required to verify organization info in accordance with Section 11.2 and as documented in their CP/CPS.
-- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
