beltzner wrote:
So far I've heard reasonable arguments for:
This is a very helpful list.
- linking a form of government ID to the application (proposed, but dropped, but we can repropose it) - increasing the liability exposure for CAs found to be lax in their applications of the guidelines - formalising the set of third-party identity providers to verify business information
I'm not sure that's feasible (if I understand the point correctly), given the large number of countries and jurisdictions in which EV has to operate. Currently, the standard defines a "QIIS" (Qualified Independent Information Source) as having to have particular qualities to be suitable for use in EV validation. I think this is probably the only workable approach - although we might want to suggest modifications to the criteria.
Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
