Here some points, questions and suggestions which we'd like to raise
about the proposed EV certificates draft. Obviously they are mostly
interesting from our perspective:
1.) As mentioned already on the list, extension to individuals in some
form would be indeed interesting.
2.) Under section C. 4. (a) Compliance:
It is not fully clear to us, how approval by the CA/Browser Forum is
preformed and how equivalent of the WebTrust programs are defined. In J.
(a) 1) it says "/or a currently valid unqualified opinion indicating
compliance with equivalent audit procedures approved by the CA/Browser
Forum/", but this unqualified opinion is nowhere defined? Also
membership at the CA/Browser forum is currently an exclusive club of
CA's, but we'd like to know if issuance of EV certificates is a
requirement for membership or can there be membership without actively
issuing EV certificates? It is regrettable, that there is explicitly
the mentioning of "WebTrust" instead of "a neutral and competent 3rd
party" or allow for alternatives such as ETSI. This monopoly isn't
really healthy and doesn't reflect the Mozilla CA policy! Additionally
we'd suggest to make sure, that CA's approved and included by a minimum
of one or two software vendor's software will be able to issue EV
certificates (according to the guidelines) and accepted as such by the
relevant software vendors - including the listing of the CA in CA/BF,
even if a CA is not present in some of the (other) software vendors.
3.) Under section C. 4. (c) Insurance:
The draft mentions two different insurances with 2 million, resp
5 million US$ coverage. However it doesn't say, if this insurances are
for all the CA business or only for the EV certificates. Assuming that
it means for all the CA business a CA may perform. However there is no
ratio given to issued certificates, meaning, that there is a difference,
if a CA issued 1 million certificates or 100 (Just an extreme example).
I suggest to make that relative to the issued certificates, i.e. for
every X issued certificates the CA must be covered for Y US$.
The value of an insurance may decrease tremendously for CA's which
issue big amounts of certificates, making a big CA's potentially weaker
insured than smaller ones, whereas smaller CA's would have a higher
overhead for insurance costs it doesn't really need because of the
smaller amount of issued certificates. In short, this should be perhaps
defined better.
4.) Also not clear is, how the software vendor "knows" about, if a
certificate is EV. We understand, that CA roots and Intermediate CA
signer certificates can be marked as EV issuers, however Intermediate CA
lifespan is usually lower than the root certificate of the CA, in our
case valid for 5 years. Does software vendors have to manage a list of
CA signer certificates which are EV issuers? How does Mozilla intend to
handle/manage that?
This are the most critical parts, which we think should be addressed. We
will not "vote" if to follow the "psychological" green address bar, but
would like to have the issues above addressed properly. Additionally
here a few suggestions: Obviously a very small number of businesses will
acquire EV certificates, but somehow discriminates other properly
verified and serious certificates issued, making them "less" valued,
which we think is wrong! When the idea was first published, we expected,
that certificates would be more divided into categories, such as Class 1
- 4, or in other words:
1) Domain validated only,
2) Reasonable verification of the identity/business,
3) Thorough verification if identity/verification,
4) Government authorized or issued, or similar to EV,
reflecting the status by different colors. This would give the user more
indications about the status of the certificate without being a PKI
expert. In the current proposed draft, the current situation will remain
similar to todays confusion, except the introduction of an elite and
expensive new standard. This is not exactly what was proposed and
suggested in Toronto a year ago (at least to our understanding)!
Therefore the real issues of the "browser lock only" indication is not
solved, which is regrettable!
Thank you for giving us the chance to voice our concerns and opinion.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
