Gervase Markham wrote:
We need to make sure that the audit firm a CA uses is trustworthy
Right up to here...
to assess under the Webtrust guidelines.
Not!
Who better to decide that than the people who wrote the guidelines?
Mozilla does! Please read sections 9 - 12 from
http://www.mozilla.org/projects/security/certs/policy/
http://www.cabforum.org/WebTrustAuditGuidlines.pdf
Excellent! Thanks!
I don't think that should be the goal. Because of the nature of EV
(and the additional resources and requirements necessary for doing the
extra validation) it may well be that there are some CAs who do not
have the resources to take it on, or cannot make a business case for
doing it. Saying that all CAs in the store should be able to issue EV
is basically saying "EV should be the same as what we have now".
Absolutely not! I disagree with you strongly!
Extra validation (maybe they aren't that "extra" anyway - who says that
CAs don't perform and offer similar or better validations already
today?) can be performed by a CA wishing to do so, but you should
perhaps read http://financialcryptography.com/mt/archives/000835.html
And yes, I suggest that any CA confirming to the Mozilla CA policy
should be able to issue all certificates of any strength, including EV.
This absolutely doesn't mean "the same as what we have now". It's the
verification procedures which might make the difference, not the cartel
webtrust audit!
I agree there should not be any unnecessary barriers.
Nice...now we just disagree on what means "unnecessary" :-)
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
