On Sep 10, 5:51 pm, "Ian Fette" <[EMAIL PROTECTED]> wrote: <snip> > > 1. Do Google, as a browser creator, intend to join the CA/Browser > > Forum (http://www.cabforum.org) ? > > This is something we will have to discuss internally. I'm aware of CA/B > Forum and the work that goes on there.
Google would certainly be eligible for membership, since it now "produces a software product intended for use by the general public for browsing the Web securely." (See http://www.cabforum.org/forum.html). <snip> > > 3. Chrome on Windows appears to rely on the certificates found in the > > Microsoft Trusted Root Certificate Store, but has its own list of EV > > Policy OIDs (in net/base/ev_root_ca_metadata.cc). Having done that, > > why didn't you use the EV Policy OID metadata built in to the > > Microsoft Trusted Root Certificate Store instead of creating your own > > list? > > Do you have a pointer to any documentation on this? I'm not sure if we knew > it existed to be perfectly honest. I'm not aware of any official documentation from Microsoft. <snip> > > 5. What Root Certificates will Chrome on Mac and Linux trust, since > > the Microsoft Trusted Root Certificate Store is Windows-only? Why > > didn't you use Mozilla NSS's Root Certificate DB instead, since NSS is > > already cross-platform? (And then, why not use Mozilla PSM's list of > > EV Policy OIDs instead?) > > We want to do what's native on the platform. What advantages do you see in taking a "what's native on the platform" approach, rather than using NSS on all platforms (as Mozilla does) for both the crypto code and root certificate store? <snip> > Green bar may appear in Chrome some day, it may not. It wasn't a high > priority thing - I don't think it really adds much value. What it tells you > is that a site went through an extended validation process, but that's > really not that meaningful in my opinion - the meaningful part about EV is > that you have a verified identity. Agreed. <snip> > Telling someone to "look for the lock" is not really great advice, because > anyone can get a certificate and "get the lock". Agreed. This is why the EV standard was created. > Similarly, I don't think that telling someone to "look for the green bar" is > good advice, because anyone can get the green bar by going through > the validation process and supplying truthful information. (granted, it's a > slightly higher bar, but by no means insurmountable). I agree, but...in the real world, many CAs *are* offering this advice. > The valuable thing is to tell someone to look at the identity information > provided and validate that information against their expectations. Agreed. <snip> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Chromium-dev" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~----------~----~----~----~------~----~------~--~---
