[cabfpub] [cabfman] Improving the security of EV Certificates
gerv at mozilla.org
Thu Dec 19 15:56:35 UTC 2013
On 19/12/13 04:01, kirk_hall at trendmicro.com wrote:
> Gerv -- on your last point, how would the issuing CA know that an
> inquiry was coming from its "own customer"? An inquiry could come
> from someone pretending to be with a customer, or a member of the
> public, or someone who is with the customer but not contact we have
> dealt with.
Yes, you are right.
Do we need to think now about how to reduce the incidence of false
complaints, or shall we wait and see if it's a problem in practice?
One could imagine, for example, if false complaints tended to be 3rd
parties complaining about certs for topsites, we could establish a
registry of "valid complainants" for topsites, such that a complaint
about something.foo.com could only come from the contact in the
registry, and all others could be discarded.
> Today, CAs have to provide a means for anyone in the
> world to complain about a cert they have encountered.
So what is changing?
More information about the Public