Policy-Discussion

["Peter Williams" <home_pw AT msn.com>]

 

The Mozilla CA Certificate Policy uses wording like 'We consider verification of certificate signing requests to be acceptable if it'
 

 

 

This is acceptable (if you are still ‘with’ the legal formalisms). A CSR is (self)signed. (a) you are thus properly ”verifying”, since it’s a signature. Second, in a semantic leap based on policy, a CSR is technically a prototype cert (in a non X.509 format) in some CPSs. Thus, “sponsored”  by an LRA (assurer in  CACert), and “subscribed to” by the user, it gets “validated” by a/the relying party known as a CA. During this act, there are validation procedures – such as EV. As a final step the IA component of a CA registers the cert, turning it from prototype/temp to accepted cert, at which point obligations  are passed to all types of relying party other than the CA and subscriber.

Ahem.

Yes, its legal bullshit. But, writing it is highly paid… and its author (not me) made over $50M. So…

 

Remember, if like VeriSign , you are going to warrant now over 25 billion dollars, you need a  strong basis to convince the “insurers”. Since one cannot issue US-style junk bonds to cover this kind of non-investment warranty, you have to go to pure risk markets, like Lloyds.