Why are you requiring that of GeoTrust? What happens if they don't provide that service?
Then the browser UI I write doesn't mark their certs as "suitable for commerce" :-)
GeoTrust are presenting "2nd Generation" automated identity checking as being much better than "1st Generation" manual checking. I was raising the point that it's no better if you still can't get any traceability back to a real person.
Shouldn't you be accepting GeoTrust's offering for what it is that the offer?
Absolutely. If all they are doing is saying "I definitely issued this cert to the person who actually controls the domain", then I'll mark the connection as encrypted but not safe for commerce.
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
