W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: ACTION-272: self-signed certificates

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Tue, 31 Jul 2007 08:56:53 -0400
Message-Id: <10E76EB8-25A8-4928-A096-D329D877B6A8@mozilla.com>
Cc: public-wsc-wg@w3.org
To: Serge Egelman <egelman@cs.cmu.edu>

On 30-Jul-07, at 6:46 PM, Serge Egelman wrote:

> We went over this.  The $20 GoDaddy example I cited before.  I  
> registered a domain and purchased a certificate using PayPal, and  
> it's all under Stephen's name.  Nothing is linked back to me, there  
> is zero accountability (BTW: Johnathan said that he'd pull the root  
> if this were the case, though I doubt that's happened).

Are you saying that GoDaddy issued you a cert for a domain you don't  
control?  If so, absolutely you should let us know, it's a violation  
of their audit regime and would be a very good reason to pull their  
cert.

Or are you saying that they issued a DV cert for a domain you do in  
fact control, but that they didn't audit the other information, which  
they never claimed to do anyhow?  In which case I admit that I fail  
to see the relevance, but I certainly wouldn't pull their root for  
it, since we never expected them to vet that.  If we did, if we had  
ever really demanded that, we wouldn't have needed EV.

Cheers,

J
---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
Received on Tuesday, 31 July 2007 13:06:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT