GSA/https

certificates.md - general comments

jimfenton opened this issue · 1 comments

A few miscellaneous comments on the new certificates.md page:

  • The signature from the CA vouches for the relationship between the public (not private) key and the authorized... since that's what the CA has to sign.
  • Under "technical information" contained in the certificate, it would be good to list algorithms as well since there is discussion later about use of SHA1.
  • It vouches for hostname(s), not domain(s), since certificates (except wildcards) are valid for specific hosts, not the whole domain (even though it's validated by domain).
  • "CA it trusts has decided to trust the website" overstates what the CA is trusting, since it hasn't even looked at the website. It trusts that the website is controlled by an authorized party.
  • Some quantification of what is meant by "shorter lived" might be useful. Are we talking about days or years?
  • I wince a little at RFC 6962 being called "the official standard" since it's an experimental RFC. IETF has a big problem with people calling anything with an RFC number a "standard", and hate to see that perpetuated.

Thanks @jimfenton, I moved your comment to #149 at #149 (comment).