That was changed in ballot 127. -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kurt Roeckx via dev-security-policy Sent: Wednesday, April 19, 2017 5:54 PM To: Peter Gutmann <pgut...@cs.auckland.ac.nz> Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CA Validation quality is failing
On Wed, Apr 19, 2017 at 10:41:33PM +0000, Peter Gutmann via dev-security-policy wrote: > Kurt Roeckx via dev-security-policy <dev-security-policy@lists.mozilla.org> writes: > > >Both the localityName and stateOrProvinceName are Almere, while the > >province is Flevoland. > > How much checking is a CA expected to do here? I know that OV and DV > certs are just "someone at this site responded to email" or whatever, > but for an EV cert how much further does the CA actually have to go? For the EV cert we got we got a phone call asking if she could speak to someone else to confirm that he works there. That also wasn't what I expected. I expected that they would at least check that he has the authority to do so, like asking the CEO. (It was a code sign certificate, but I expect if it's labeled EV that the same things apply.) Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy