On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > A) Does your CA have an RA program, whereby non-Affiliates of your company > perform aspects of certificate validation on your behalf under contract? If > so, please tell us about the program, including: > > * How many companies are involved > * Which of those companies do their own domain ownership validation > * What measures you have in place to ensure this work is done to an > appropriate standard > [JR] This should be limited to SSL certs IMO. With client certs, you're going > to get a lot more RAs that likely function under the standard or legal > framework defining the certificate type.
What if the question was scoped to "RAs that can do independent validation of domain control" or some such? e.g. a classic "Enteprise RA" set up where the CA's in-house RA confirms control of a public suffix and then allows the Enterprise to internally confirm certificate requests under the validated domain should not be counted here. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy