Robert Sayre wrote:
Will we see Extended Extended Validation Certificates in a few years, after CAs sell too many EV certs? Is there an incentive for them not to do that?
What do you mean by "too many" EV certs? Do you mean "if they start selling EV certs to the wrong people"?
If a CA sells an EV cert to someone who subsequently does use it for fraudulent purposes, we'll do a number of things.
Firstly, we'll take the information we have gathered about them and pass it on to law enforcement. If things are working well, then they'll get arrested and charged.
Secondly, if some of that information turns out to be incorrect (and so perhaps we couldn't find the person after all), we'll analyse what happened, find the hole in the procedures, and issue an update to the document tightening them. The document is not a standing target.
Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
