On Wed, Apr 19, 2017 at 6:41 PM, Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Kurt Roeckx via dev-security-policy <dev-security-policy@lists.mozilla.org> > writes: > > >Both the localityName and stateOrProvinceName are Almere, while the > province > >is Flevoland. > > How much checking is a CA expected to do here? I know that OV and DV certs > are just "someone at this site responded to email" or whatever, This is not correct. This can be easily answered by https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.2.pdf Section 3 governs validation, Section 7 governs the profile of how to use that validated information > but for an > EV cert how much further does the CA actually have to go? When e-Szignó > Hitelesítés-Szolgáltató in Hungary certifies Autolac Car Services, Av Los > Frutales 487 urb., Lima, Peru, are they expected to verify that it's really > in Av Los Frutales and not Los Tolladores, or do they just go ahead and > issue the cert? Can someone point to the bit of the BR that says that this > is obviously right or wrong? > For an EV cert, you look in https://cabforum.org/wp-content/uploads/EV-V1_6_1.pdf _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy