Eddy Nigg (StartCom Ltd.) wrote: > Frank Hecker wrote: <snip> >> (Because after all our ultimate concern is users' >> security, not guidelines and criteria per se.) > Well, this is a dangerous statement, because CAs are all about policies > and criterion, security is only part of the implementation of these.
I'm not saying guidelines and criteria are not important; I'm simply saying that we should not be overly rigid in terms of which criteria and guidelines we consider acceptable. E.g., if we have two sets of criteria and we judge them pretty much equivalent in terms of the resulting security for our users, then if we consider the first acceptable then arguably we should consider the second acceptable as well. This is the same reasoning that led us to include multiple sets of criteria in our original CA policy (e.g., WebTrust, ETSI, etc.). In this case I am saying that if the draft EV guidelines and WebTrust criteria are pretty much equivalent in terms of security impact, then we should consider accepting the draft as well as final as acceptable, at least on an interim basis. (For example, we could revise our policy to deem the draft guidelines and criteria as acceptable for CA requests submitted prior to a certain date.) >> This is where I could use help from people more familiar with the >> nitty-gritty details of the WebTrust EV criteria and the underlying EV >> guidelines. >> > I could try to dive into this and find out what the differences are in > relation to the criteria and audits. However it might be that not all > information is available to me at this stage (must check). All I am concerned about is the difference in the criteria and guidelines as published, i.e., draft 11 of the EV guidelines vs. the 1.0 guidelines, and the WebTrust EV draft criteria vs. the final criteria; these documents are all on the cabforum.org site. However don't feel obligated to work through these yourself; I believe there are others on this list who have more first hand experience in the differences between the draft and final versions, and can answer this question without needing to do lots of research. As implied above, IMO the key question is whether the differences are such as to make a significant difference in security as far as our users are concerned. > Who is currently representing Mozilla at the CAB forum? Johnathan Nightingale is our main de facto representative since Gerv had to cut back his CA-related activities. > OK, I could pick the first four or five requests from your list and > start to work on it...or just assign a few bugs to me and I'll go > through them. Whatever you prefer... Let me think about which requests would be most fruitful to work on first, and get back to you later today. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto