DefaultQ2QAvatar.signCertificateRequest well sign any request, so long as it just has a Common Name.

[tomprince]

I think perhaps it should only sign certificates that match the avatar.

[glyph]

It should also probably specify some basicConstraints but I've totally forgotten how to do that.

[glyph]

Actually, I think that Vertex should do the thing that startssl does, where they discard everything about the CSR except for the public key.