Gervase Markham wrote: > All comments welcomed. Ideally, I would be able to give any feedback to > the editor before November 19th, after which there may be another vote > on adopting the updated specification. If you have any questions about > the process or the CABF, please ask.
Ok, I finally completed a review of the draft. A lot of it is beyond my area of expertise, but I do have some concerns and questions regarding the current draft. * I don't actually see why individuals would need EV certificates, at least during the first round. The way I see it EV certificates would be mostly needed for banking and business, and most of that is AFAIK conducted by actual companies and not individuals directly. p. 10: Excluded purposes * Has there been any thought about supporting any of the exluded purposes? What if EV certificates would only be available for entities who had already maintained a web presence at the same address for at least a year? Auditors would then have some history to base an investigation on. I do realize this would raise costs significantly, and it could easily get into grey area... (I noticed that later on in the verification requirements p. 26 there are some checks to make sure the applicant is an established business with special steps to take if they are under 3 years old. I like this, but I'd actually like it if there was a requirement of at least one year prior web existence at that address.) p. 11: Warranties * What are the reasonable steps? Were they all described later in the doc? p. 15: Domain name * Would it be possible to go with dNSName only? * If both commonName and dNSName are present, how is this situation handled? * Wildcards are not allowed, but are multiple dNSNames allowed? p. 17: validity period * Where does 27 months come from? * The documents listed all have 1 year expiration, so how is 27 months even possible? p. 21: reporting * There doesn't actually seem to be much incentive for the applicant to report if they have to pay for the new certificate as well. You could make it so that the CA would give a free corrected certificate for the remainder of the old one, or you could have the renewal process check if the old information is correct and if not, refuse to supply a new EV certificate until a year later. I am in favor of the first as the latter leaves a window of unsafe/inaccurate information. p. 26: verifying private registration * I think it needs to be MUST to contact the applicant even in the case of private registration to confirm the identity of the applicant. The CA MUST then store this information privately at least for the duration of the certificate validity time. Obviously, this information MUST NOT be sold or given away except to comply with a subpoena or similar legal act. p. 27: Mixed character set * This leaves me a bit uneasy feeling. Are there no standards for mixed charset domain names? Must we rely on domain registrar's judgement? Could there be any algorithms to compare these to other High Risk domain names? p. 49: CA liability * (1) I find it bizarre that the draft allows a CA to limit its liabilities if it has not followed the EV guidelines. Why is this here? * (2) I like this, it puts an incentive for the browsers and other software to actually enable CRL/OCSP support by default. p. 56: minimum crypto * I find it depressing that the minimums allowed are so weak until 2010. Any way to bring this deadline earlier, say 2008? -- Heikki Toivonen _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
