On Thu, May 31, 2018 at 8:39 PM James Burton via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > This is wrong and should be changed to allow all types of legally > incorporated company names to get certificates. I understand this > doesn't fit any of the standard company name profiles you've seen but this > company name can be used in practice and I can think of many business > types that would love this type of name. > > In my opinion, this is just a rehash of the same debate we've been having over misleading information in certificates ever since James obtained the "Identity Verified" EV certificate. The options we have to address this seem to be: 1. Accept that some entities, based on somewhat arbitrary rules and decisions, can't get OV or EV certs 2. Accept that the organization information in certificates will sometimes be misleading or at least uninformative 3. Decide that organization information in certificates is irrelevant and ignore it, or get rid of it We currently have chosen "some parts of all of the above" :-) I am most interested in exploring the first option since that is the direction CAs are headed with the recent proposal to limit EV certificates to organizations that have existed for more than 18 months [1]. As long as anyone can obtain a DV certificate, are restrictions on who can obtain an OV or EV certificate a problem, and if so, why? [1] https://cabforum.org/pipermail/validation/2018-May/000882.html _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
