On Fri, Oct 18, 2019 at 6:31 PM Peter Gutmann via dev-security-policy < [email protected]> wrote:
> Paul Walsh via dev-security-policy <[email protected]> > writes: > > >I have no evidence to prove what I’m about to say, but I *suspect* that > the > >people at BSI specified “EV” over the use of other terms because of the > >consumer-visible UI associated with EV (I might be wrong). > > Except that, just like your claims about Mozilla, they never did that, they > just give a checklist of cert types, DV, OV, and EV. If there was a > Mother- > validated cert type, the list would no doubt have included MV as well. > I think this is even easier. Kirk linked the article which links to the actual requirements at https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindeststandards/Mindeststandard_Sichere_Web-Browser_V2_0.pdf In section SW.2.1.01, it says "Zertifikate mit domainbasierter Validierung (Domain-Validated-Zertrifikate, DV), mit organisationsbasierter Validierung (Organizational-Validated-Zertifikate, OV) sowie Zertifikate mit erweiterter Prüfung (Extended-Validation-Zertifikate) MÜSSEN unterstützt werden". Bing Microsoft Translator says the English translation is "Certificates with domain-based validation (domain-validated certrifikate, DV), with organization-based validation (Organizational-Validated Certificates, OV) as well as certificates with Extended Validation Certificates MUST be supported" This appears to be the only reference to EV in the requirements. Given the discussion has been around moving the UI treatment of EV to match OV (versus having a distinct EV-only UI treatment, I don't think there is likely to be any impact on the BSI conformance results. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
