Frank Hecker wrote: > The first step is getting a complete list of all > current EV-related CA requests. I believe the following is the complete > list, based on searching bugzilla:
Here's a quick take on each request. The principal parameters I looked for are as follows: * Is this request for an existing root to be upgraded for EV, or for a new EV-enabled root to be added. * What version of the EV guidelines does the CA claim compliance to? * What type of audit was done? For example, was this done using the draft WebTrust EV criteria? Final webTrust EV criteria? Something else? The last two points are connected, in that the draft WebTrust EV criteria reference the draft 11 EV guidelines, while the final WebTrust EV criteria reference the final 1.0 guidelines. > * Secomtrust (394419) Request to upgrade two existing roots for EV, and add a new EV root? (This is not 100% clear from the bug, based on the original description vs. comment #6.) Audit was done against draft WebTrust EV criteria. (Note that there was apparently one issue with the audit, as noted in the report.) > * Comodo (401587) Request to upgrade 11 existing roots for EV, and add one new EV root. Audit was done against draft WebTrust EV criteria (I think). (This is not exactly clear from the bug or the report.) > * VeriSign (402947) Requests addition of new VeriSign EV root (though the bug also mentions Thawte and GeoTrust roots -- see also below). Audit was done against draft WebTrust EV criteria. > * Valicert/Starfield/Go Daddy (403437) Request to upgrade three existing roots for EV. Audit was done against draft WebTrust EV criteria. > * Digicert (403644) Request to upgrade an existing root for EV. Audit was done against draft WebTrust EV criteria (I think). (This is not exactly clear from the bug or the report, but inferred from the date of the report.) > * QuoVadis (403665) Request to upgrade an existing root for EV. Audit was done against draft WebTrust EV criteria. > * Network Solutions (403915) Request to add a new EV root? (As noted in comment #2, this is not clear from the information supplied.) It's not clear from the bug whether a WebTrust EV audit has been done; the referenced audit appears to be for vanilla WebTrust. > * GlobalSign (406796) Request to upgrade an existing root for EV, and add a new EV root. (At least this is how I interpret it.) Audit was done against the draft WebTrust EV criteria, audit report is not available on the web. > * Thawte (407163) Request to add a new EV root. It's not clear from the bug whether a WebTrust EV audit has been done; the referenced audit appears to be for vanilla WebTrust. > * GeoTrust (407168) Request to add a new EV root. It's not clear from the bug whether a WebTrust EV audit has been done; the referenced audit appears to be for vanilla WebTrust. > * Trustwave (409837, 409838, 409840) (Aka SecureTrust, aka XRamp) Requests to upgrade an existing (XRamp) root for EV, and add two new EV roots. (At least this is how I interpret it.) I'm not sure whether the audit was done against the draft WebTrust EV criteria or the final WebTrust EV criteria; this is not 100% clear. > Next step is figuring out the basic parameters for each request. If anyone wants to double-check my conclusions above please feel free; I could use some help with this. One more parameter worth looking at is whether the audits were done prior to the CA offering EV certs (which I think is what people mean by a "readiness audit") or whether they reflect actual operational experience in issuing EV certs. I noted this for a few CAs, but haven't yet done an exhaustive check on all the CAs above. Note that all (or almost all) of the audits done were apparently against the draft WebTrust EV criteria and not the final WebTrust EV criteria. Our policy references the final WebTrust EV criteria, which had recently been adopted when we revised the policy. It's an open issue whether we want to revisit that choice, at least on a provisional basis. For example, we could provisionally approve a CA for EV based on an audit against the draft criteria, on condition that the next audit be against the final criteria. Otherwise I'm not sure we'd have any EV-capable CAs at all in Firefox 3. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
