Florian Weimer wrote:
They don't, as far as I can tell. Evidence provided by a Qualified Indepedent Information Source (QIIS) is usually sufficent. Verisign seems to have copied this part of the guidelines verbatim.
Guess what....they wrote most of the guidelines by themselves!
Certain is good....hasn't Verisign its own domain registry department? Conflict of interest?Now the interesting question is how much wiggle room there is in the definition of a QIIS. Looks like a lot to me, and I wouldn't be surprised if anyone had problems to say with certainty if certain WHOIS operators can serve as a QIIS.
Good catch! More than that, it was signed and issued long before the EV guidelines were approved (How could they know what the guidelines will be?). And even more disturbing is the fact, that the certificate is valid for a period of _two_ years, whereas the guidelines speak strictly about _ONE_ year only!!!! And now to all the EV supporters: Isn't EV already flawed by the biggest certification authority?Is the current certificate on https://www.verisign.com/ an EV certificate? It lacks a physical address, which is required by (my reading of) the guidelines.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security