Hi Again.... Frank Hecker wrote: > First, we need to reach a consensus on what to do about CAs audited > under the draft WebTrust EV criteria. AFAICT right now if we applied our > policy strictly we wouldn't have any CAs that comply with it, and may > not have any for some time to come (per my point below). However it's > not clear to me a) if the differences between the draft WebTrust EV > criteria and the final WebTrust EV criteria are actually that > significant, and b) if they are significant, to what extent they're > security-relevant. (Because after all our ultimate concern is users' > security, not guidelines and criteria per se.) Well, this is a dangerous statement, because CAs are all about policies and criterion, security is only part of the implementation of these. To explain my point, there are CAs which might be very appealing to subscribers and perhaps even "secure" to a certain extend, but they don't have any policies in place nor a way to govern and enforce them. Neither was a criteria applied to confirm these policies....
Therefore let me disagree with you and rephrase that to "Because our ultimate concern is the users security we need guidelines, rules and criterion". Otherwise we just might want to skip all the hassle and have all requests approved...why bother? As we've done in the not so distant past, we had to adjust the Mozilla CA policy in order to support EV, which was the only right thing to do at the time. Else we shouldn't bother with a policy either. I think this to be very important, because this is what Mozilla expects from the CAs as well in turn... > This is where I could use > help from people more familiar with the nitty-gritty details of the > WebTrust EV criteria and the underlying EV guidelines. > I could try to dive into this and find out what the differences are in relation to the criteria and audits. However it might be that not all information is available to me at this stage (must check). As I understood from a representative of KPMG, there are differences (including the pricing) on the EV readiness audit and the real EV audit...Maybe some more information can be received from the CAB forum too, in addition to comparing the draft and final. Who is currently representing Mozilla at the CAB forum? > If the differences really aren't that relevant from a security > perspective then arguably we should consider a provisional approval > scheme like I mentioned earlier. We aren't talking about the case of > "audited" vs. "not audited"; all the CAs in question have been audited, > albeit under slightly different criteria than in our current policy. > Also, a CA that got audited prior to 2007/09/30 (when the final WebTrust > EV criteria went into effect) is not instantly going to re-do its audit; > for reasons of cost and other factors it's typically going to wait for > the next audit cycle. This introduces a fair amount of (IMO) > unnecessarily arbitrary variation in when CAs are able to get approved > for EV in Mozilla products. > Again, the question is policy wise and a moral one. Not going to voice my opinion beyond the explanation from above. > Second, we need to triage the EV requests to see which are most suitable > for consideration right now. For example, we might privilege cases where > the root in question is already in NSS/Mozilla and just needs upgrading > for EV, since we can leverage work already done for the original > approval. Here I could use help both to do the triage and also to follow > up and get the relevant questions asked and answered regarding the CAs > we're looking at first. > OK, I could pick the first four or five requests from your list and start to work on it...or just assign a few bugs to me and I'll go through them. Whatever you prefer... -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
