Eddy Nigg (StartCom Ltd.) wrote:
Florian Weimer wrote:
They don't, as far as I can tell. Evidence provided by a Qualified
Indepedent Information Source (QIIS) is usually sufficent. Verisign
seems to have copied this part of the guidelines verbatim.
Guess what....they wrote most of the guidelines by themselves!
Eddy,
You are continually damaging your credibility in this discussion by
throwing around unnecessarily barbed comments and wild accusations of
conspiracy and wrongdoing.
I can state with certainty that Verisign did not "write most of the EV
guidelines". I know, because I watched the drafting process.
Is the current certificate on https://www.verisign.com/ an EV
certificate? It lacks a physical address, which is required by (my
reading of) the guidelines.
Good catch! More than that, it was signed and issued long before the EV
guidelines were approved (How could they know what the guidelines will
be?).
The issue date of the certificate is the 7th of December 2006, which is
after draft 11 was published. No version of the EV guidelines have yet
been approved by the Forum, as you know. Verisign's certificate
presumably is part of Microsoft's EV program.
And even more disturbing is the fact, that the certificate is
valid for a period of _two_ years, whereas the guidelines speak strictly
about _ONE_ year only!!!!
That just isn't true. Section 8 a) of the EV Certificate Guidelines
gives the maximum validity period as 27 months. It recommends 12, but
that is only a recommendation.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
