* Kyle Hamilton: > I'm more than happy to set a policy, then set a cut-off date, and then > cut out all CAs that don't comply by that date. Regardless of the > "track record of not requiring DV", this is very much like the court > system relying on precedent for some case and the > legislature/executive being able to move to block it.
Sure, what would be needed to move in that direction? It's probably not possible to require DV per se, but I would appreciate if Mozilla could send a more consistent message regarding domain ownership/control requirements. I really don't understand what the CAs are doing here. Are they really issuing certs for seb.fin right now (brand picked arbitrarily, but with non-obviousness in mind)? The other side of the coin is that Mozilla's unknown certificate UI was very bad in the 3.0 release, so I can see why there's a business case for certs for not globally existing domains. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security