Peter, I obviously do not represent ComSign, but several of the items in your list are not really specific to the CPS and instead are more comments on the Mozilla policies.
On Fri, Jan 29, 2016 at 4:24 PM, Peter Kurrasch <fhw...@gmail.com> wrote: > * There is a BR from CABF that covers code signing. I must admit I don't > know the status of it but this CPS should at least acknowledge it and say > if ComSign will adhere to it. > There is not a BR from the CA/Browser Forum. A subset of the members of the CABF drafted a BR, but it failed to be adopted as a Forum Guideline when brought to a vote of the whole Forum. Concerns were raised on several fronts, including some specific requirements. Therefore I don't think it is necessary or appropriate for a CA to commit to adhere (or not adhere) to a document that is still under development. Additionally, Mozilla has determined that Code Signing is out of scope for the Mozilla CA program. Therefore, as I understand it, whether a CA issues certificates for code signing or not, and the terms under which is does so, should not be in scope for review of their CPS in this forum. > * Section 3.2.8.1.1. is provably insecure and should not be used to verify > ownership or control of a domain. A WHOIS record might contain an email > address of a proxy and is, therefore, unreliable. The "magic" email address > names might be directed to an unauthorized person and, therefore, also > unreliable. > The process described in 3.2.8.1.1 is the process that was included in the Mozilla CA policy (https://wiki.mozilla.org/CA:CertInclusionPolicyV2.0) and is now included in the CABF BRs. It is an approved process to verify ownership or control of a domain. > * Section 3.2.8.1.3. is also provably insecure and should not be used. > Changing a website proves nothing and if I'm trying to exploit an existing > domain for nefarious purposes I probably have control over the website > anyway. > The process described in 3.2,8.1.3 is an implementation of section 3.2.2.4 (6) of the CABF BRs. It appears to be an approved process to verify ownership or control. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
