Frank Hecker:
The problem is that while the EV guidelines contain an explicit
requirement for annual audits, they don't dictate things like the length
of the grace period that browser vendors should give CAs once their
audits expire.
In fact, it's not even clear from the EV guidelines exactly when an
audit "expires"; for example, should we count from the end of the period
for which the audit applies, from the date that the audit report was
actually issued, or from some other date?
I don't view this as a problem which would prevent us from implementing
the controls needed. I'd go for the date of the audit as the date of
expiry (plus 365 days, which makes sense since we don't expect another
audit report before one year has past from the current report).
To be clear, I agree with you that we should remove our "EV blessing"
from CAs that don't meet the EV guidelines requirement for annual
audits.
Consensus.
First, if and when we do have to turn off EV for CAs, we don't need to
do it one by one. We can simply schedule such changes for the normal
security update cycle, and batch changes for multiple CAs into a single
update release.
Second, the security updates are very effective in terms of getting
changes out to users. For example, for Firefox 2 we got 90% of all users
upgraded within a week of releasing a new Firefox 2.0.0.x update, and
overall got ~95% penetration for the updates:
http://blog.mozilla.com/security/2007/06/18/time-to-deploy-improvement-of-25-percent/
http://arstechnica.com/news.ars/post/20070518-firefox-users-lead-the-way-in-keeping-up-to-date.html
Since the automated update mechanism is turned on by default in Firefox,
I suspect that almost all of the people not getting automated updates
are those that have turned it off themselves, or whose organizations
have turned it off for them, presumably out of a distrust of automated
updates in general. Those same people would likely turn off other
features that automatically contacted Mozilla for updates.
OK, I think this sounds convincing! We might still think for other ways
(already now) as possible solutions should one day the schedule of
updates change (and FF3 turns out to be flawless without any bugs ;-) ).
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
