Gervase Markham wrote:
Eddy Nigg (StartCom Ltd.) wrote:
Fist of all the proposal tries to structure and define SSL
certificates in the Mozilla CA policy first and foremost, about
something which is common practice. It nowhere says how, if and when
the UI should differentiate.
Oh come on, Eddy. Are you telling us that there's any possibility that
we'd do all this work and then _not_ differentiate in the UI?
I think it should. Because Mozilla doesn't have any control over it
in any case! Not today, not with EV and not with this proposal!
Then what is to prevent the CA claiming it does lots of verification
and then actually doing none?
Umm.... How about Their Audit? The threat of having their cert pulled?
Risk of Law suits for violating their policy? I am not sure about
WebTrust, but I wouldn't doubt if they have ramifications.
It is VERY much in the interest of the CA to put forth a policy and
stand by it, and then to have insurance incase someone manages to fool them.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
