(Same Pedro as before...it was another account) > > There's nothing that specifies the cert must be issued after the verifying > control or that issuance can't be part of the verification process. Although > this seems backwards, I still think it's compliant with the Mozilla policy. >
Well.. According to Mozilla 2.2-1: "All information that is supplied by the certificate subscriber MUST be verified by using an independent source of information or an alternative communication channel before it is included in the certificate." For me this means that for initial issuance the verification must occur before issuing the certificate, so the mail interaction must be previous to that. My sentence above was about renewals... where I think that it's reasonable to consider that the email was already validated and that the getting the renewal by accessing a mail is providing enough assurance. We could do otherwise, so issuance occurs after the user read the email and clicks a link or whatever, but I don't think it really makes a difference in terms of controlling the risk of giving a certificate to the wrong person, as you said "either you have access to the email or you don't". Cheers! _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy