Frank Hecker wrote: > After thinking about it, I think it may be possible to do this just by > adding a final paragraph to section 6 of the current policy: > > In addition, if a CA wishes its certificate to be marked to note that > Extended Validation certificates may be issued under the associated CA > hierarchy then we require that the CA comply with the "Guidelines for > the Issuance and Management of Extended Validation Certificates, > Version 1.0" (as modified by the erratum published by the CAB Forum), > and have its compliance attested to in accordance with the > requirements of Section J of that document. > Hi Frank,
Shouldn't be this be part of section 8 as this is a criteria for CA operations (and its associated audits). After reading your proposal I would suggest alternatively the following: _Under section 7_ "We consider verification of certificate signing requests to be acceptable if it meets or exceeds the following requirements:" Add a fourth part with something like this: "for a certificate to be used for and marked as Extended Validation the CA complies with the "Guidelines for the Issuance and Management of Extended Validation Certificates, Version 1.0" (as modified by the erratum published by the CAB Forum), and have its compliance attested to in accordance with the requirements of Section J of that document." (As a by-note, I'm note sure the version number should be used and or include any future versions instead. Something like "Guidelines for the Issuance and Management of Extended Validation Certificates according to the most actual version as published by the CAB forum....") _Under section 8_ "We consider the criteria for CA operations published in any of the following documents to be acceptable:" Add the criteria and guidelines for the Issuance and Management of Extended Validation Certificates as published by the CAB forum. (Obviously after performing an EV audit, this should allow to issue regular non-EV certificates as well.) Additionally I would like to see somewhere a disclaimer which would allow Mozilla in the future to accept alternative auditors other than the ones approved by the CAB forum for EV without the need to change the Mozilla CA policy again in order to allow that. This doesn't mean that Mozilla _must_ accept, but would keep the option open in the same way as the policy has other such disclaimers concerning different aspects. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto