Heikki,
Thanks for taking the time to read the draft thoroughly.
(Can we use section numbers rather than page numbers? Because there are
two sets of page numbers - document page numbers and those on the pages
themselves. Thanks.)
Heikki Toivonen wrote:
* I don't actually see why individuals would need EV certificates, at
least during the first round. The way I see it EV certificates would be
mostly needed for banking and business, and most of that is AFAIK
conducted by actual companies and not individuals directly.
There are complex political reasons why many CAs want individuals
included in the first draft. In terms of solving the phishing problem, I
agree with you - as does Microsoft. As their latest blogpost implies:
http://blogs.msdn.com/ie/archive/2006/11/07/improving-ssl-extended-validation-ev-ssl-certificates-coming-in-january.aspx
they are going ahead with an initial implementation based on the
existing draft, without a CA/Browser approval vote.
p. 10: Excluded purposes
* Has there been any thought about supporting any of the exluded
purposes? What if EV certificates would only be available for entities
who had already maintained a web presence at the same address for at
least a year? Auditors would then have some history to base an
investigation on.
I believe the objection to this is that it's raising artificial barriers
to competition.
p. 11: Warranties
* What are the reasonable steps? Were they all described later in the doc?
In general, if the draft has language like that, it means that the
WebTrust auditor will check they are doing it in a sane manner. Does
that answer your question?
If there was a method of doing it which had been shown to be spoofable,
for example, an auditor probably wouldn't recognise it as being "a
reasonable way to verify".
p. 15: Domain name
* Would it be possible to go with dNSName only?
* If both commonName and dNSName are present, how is this situation handled?
* Wildcards are not allowed, but are multiple dNSNames allowed?
The technical details are really being overseen by Bob Lord, Bob Relyea
and Nelson Bolyard, who joined the CA/Browser Forum mailing list a few
months ago. I believe there was some discussion on this mailing list
about this issue, but I didn't follow it.
p. 17: validity period
* Where does 27 months come from?
I believe it's probably "2 years plus some wiggle room for issue in
advance".
* The documents listed all have 1 year expiration, so how is 27 months
even possible?
I'm not sure what you mean by this.
p. 21: reporting
* There doesn't actually seem to be much incentive for the applicant to
report if they have to pay for the new certificate as well. You could
make it so that the CA would give a free corrected certificate for the
remainder of the old one, or you could have the renewal process check if
the old information is correct and if not, refuse to supply a new EV
certificate until a year later. I am in favor of the first as the latter
leaves a window of unsafe/inaccurate information.
I guess some CAs could offer free updates as a market differentiator.
I'm not sure we could refuse to supply based on past bad behaviour,
because that would require a conspiracy among the CAs not to serve a
particular "blacklisted" customer.
p. 26: verifying private registration
* I think it needs to be MUST to contact the applicant even in the case
of private registration to confirm the identity of the applicant.
So you are objecting to the possibility of 18 b) 1) a)?
The CA
MUST then store this information privately at least for the duration of
the certificate validity time.
I assume the CA would store copies of all information used to issue the
cert anyway, in case of future problems or audit.
Obviously, this information MUST NOT be
sold or given away except to comply with a subpoena or similar legal act.
Privacy is an issue currently being addressed.
p. 27: Mixed character set
* This leaves me a bit uneasy feeling. Are there no standards for mixed
charset domain names? Must we rely on domain registrar's judgement?
Could there be any algorithms to compare these to other High Risk domain
names?
I, in fact, argued for the removal of anything about this because it's
out of scope for this forum. Protection against homograph spoofing is
important, but if we have lots of different layers with different rules,
it's going to cause problems.
Mozilla already has an effective anti-homograph-spoofing system (modulo
bugs).
p. 49: CA liability
* (1) I find it bizarre that the draft allows a CA to limit its
liabilities if it has not followed the EV guidelines. Why is this here?
I hadn't noticed that. I can ask. Note, however, that it's $2,000
minimum per relying party - i.e. for each person defrauded.
p. 56: minimum crypto
* I find it depressing that the minimums allowed are so weak until 2010.
Any way to bring this deadline earlier, say 2008?
Again, I believe this was discussed on the list. Perhaps Bob, Bob and
Nelson have something to say?
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
