Hi Mister Charter77,
It would be nice, if you would post as a person and not as an email
address...
[EMAIL PROTECTED] wrote:
The project you propose is monumental in terms of 1) categorizing the
hundreds of certificate classes offered by the dozens of CAs, and
Again no! It was explained various times by now, that the Mozilla CA
policy will provide the framework of four levels (according to the
proposal) and the CAs will match their verification procedures to the
appropriate level. It doesn't matter how many classes and levels a CA
provides, it will have to define which of them matches which level.
Nothing more to do here!
2)
auditing compliance with the new tiers.
Again no! There is nothing new here in that respect. The Mozilla CA
policy will not define/change CA policies and practices. No new audits
are needed. Nothing will change in this respect. As you indicated, there
are many different levels of verifications performed at CAs, just the
browsers don't know what to do with it, because of the lack of proper
definition. This is what it's all about.
It could also take up to
three years to bring the new classification system online, assuming
CAs would only issue certificates with the new OIDs upon renewals.
CAs issuing certificates with longer validity than one year are anyway
acting irresponsible! Or can anyone guaranty that during the course of
one or more years, the subscriber:
- Didn't changed its name?
- Changed its address?
- Did renew its domain name? **
Ouch, to put it mildly.
Ouch for the CA issuing certificates for three years....eat your hat!
** Just imagine, you have a certificate valid for three years and owned
a fairly popular domain name. You simply don't renew the domain name and
another party picks the name. Now you have a completely valid
certificate for a domain name which doesn't belong to you anymore. How's
that?!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security