* Eddy Nigg:
According to my reading of Verisign's CPS, the site visit is not
required if the applicant can prove that it's incorporated at the
given address.
Mmmhh, may I ask, what exactly has the Verisign CPS to do with the EV
guidelines?
I was under the impression that the EV appndexi
Eddy Nigg (StartCom Ltd.) wrote:
But also back and again...EV is a business plan! It has nothing to do
with the supposed verification procedures, because the procedures
existed in similar forms already...any CA is free to pick these
procedures as their own and start issuing certificates
Nelson B wrote:
These proposals are all now about a year old. They were barred from
consideration for FF2. Let's hope they will be considered for FF3.
Redesigning the security UI is a P1 for Firefox 3. Redoing the errors was
explicitly added as a line item when we went over the plan this
Boris Zbarsky wrote:
Ben Bucksch wrote:
See below. Natural persons have a passport
As pointed out several times now, this is not strictly true.
I argued that
* the difference is not serious in this case. It may actually be
relevant (if you don't pay for your children, you don't
Hi Dan,
Dan Veditz wrote:
Yes, they could but the presentation in the browser is exactly the same
whether they do or don't. Why would they bother doing it the hard way? More
and more CA's are apparently asking themselves that question.
Well no! CA's did in the past and today offer thorough
(Followup-To m.d.crypto)
In private discussion, Eddy of StartCom suggested SSL CA certs for
* internal sites (company webmail/IMAP, VPN etc.)
* private discussion (blogs, forums, chat)
* generally everything where you supply a login/password.
I think other solutions are more
(Followup-To m.d.t.crypto)
In private discussion, Eddy of StartCom suggested SSL CA certs for
* internal sites (company webmail/IMAP, VPN etc.)
* private discussion (blogs, forums, chat)
* generally everything where you supply a login/password.
I think other solutions are more
* Eddy Nigg:
if the EV guidelines require a site visit
They don't, as far as I can tell. Evidence provided by a Qualified
Indepedent Information Source (QIIS) is usually sufficent. Verisign
seems to have copied this part of the guidelines verbatim.
Now the interesting question is how much
Florian Weimer wrote:
They don't, as far as I can tell. Evidence provided by a Qualified
Indepedent Information Source (QIIS) is usually sufficent. Verisign
seems to have copied this part of the guidelines verbatim.
Guess whatthey wrote most of the guidelines by themselves!
Now the
Ben Bucksch wrote:
If the above is accepted, it would need subtle UI changes, maybe small
changes to NSS, maybe changes to the SSL PKI model (removal of expiry,
keep only revocation).
Well, I guess this discussion is somewhat pointless and your views about
SSL are certainly unique. Also one
* Eddy Nigg:
Is the current certificate on https://www.verisign.com/ an EV
certificate? It lacks a physical address, which is required by (my
reading of) the guidelines.
Good catch!
Hmm, street address seems to be optional after all. But I don't quite
understand why the certificate
* Eddy Nigg:
Certain is goodhasn't Verisign its own domain registry department?
Conflict of interest?
The guidelines explicitly forbids that they use themselves as a QIIS.
(Which makes it kind of interesting how you issue your own
certificate.)
But everyone else could still use
Florian Weimer wrote:
The guidelines explicitly forbids that they use themselves as a QIIS.
(Which makes it kind of interesting how you issue your own
certificate.)
I guess you have to look yourself up in the phonebook. (And discover how
outdated/wrong it is.)
--
When responding via
13 matches
Mail list logo
