npub1v6…s9004 on Nostr: kravietz 🦇 npub12wfyg…f8kwl npub199wcw…6n803 npub1llzxp…w08cq Any valid ...
kravietz 🦇 (npub1vz5…qdta) npub12wfyg7nljr8h25apv0c2fvqd2l5dcmdymc9d3x7zdy2xtzztaysq7f8kwl (npub12wf…8kwl) npub199wcwgvkde7wnu22asa9qlg7wzlj4ff6s3qkmvsmgkffaep24nhqq6n803 (npub199w…n803) npub1llzxpc6c3w92hczu49dsxcfqkp5tl9f5e30urrgf2v8tqnu7pkgsww08cq (npub1llz…08cq)
Any valid HTTPS cert is, possibly among others, a DV cert. If you present a cert with no domain name, IIRC the client must reject it.
HTTPS also does not have a concept of a cert where different root CAs attest different parts of it. So, we'd need to trust domain names from certs issues by these CAs or not trust them at all. So that regulation forces browsers to trust domain names from certs issued by those CAs.
I don't know whether regulations that those CAs are obliged to obey would penalize them for minting a cert with all EV-like properties valid, but a completely bizarre/unverified domain name.
> EU TSL roots would only sign QWAC certificates, which by their specification cannot be DV.
Do you mean that them signing a pure DV cert would be misissuance that can be penalized?
Any valid HTTPS cert is, possibly among others, a DV cert. If you present a cert with no domain name, IIRC the client must reject it.
HTTPS also does not have a concept of a cert where different root CAs attest different parts of it. So, we'd need to trust domain names from certs issues by these CAs or not trust them at all. So that regulation forces browsers to trust domain names from certs issued by those CAs.
I don't know whether regulations that those CAs are obliged to obey would penalize them for minting a cert with all EV-like properties valid, but a completely bizarre/unverified domain name.
> EU TSL roots would only sign QWAC certificates, which by their specification cannot be DV.
Do you mean that them signing a pure DV cert would be misissuance that can be penalized?