Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

[Daniel Marschall via dev-security-policy]

I think the only really important purpose of OV and EV over DV is that they are 
visible on the first sight. Nobody opens the X.509 file to look at the EKU OIDs 
or the subject DN. The requirement could just say that x.509 must be supported, 
but they do differentiale DV, OV and EV.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

[Paul Walsh via dev-security-policy]

On Oct 18, 2019, at 6:39 PM, Peter Bowen  wrote:
> 
> 
>> On Fri, Oct 18, 2019 at 6:31 PM Peter Gutmann via dev-security-policy 
>>  wrote:
> 
>> Paul Walsh via dev-security-policy  
>> writes:
>> 
>> >I have no evidence to prove what I’m about to say, but I *suspect* that the
>> >people at BSI specified “EV” over the use of other terms because of the
>> >consumer-visible UI associated with EV (I might be wrong).
>> 
>> Except that, just like your claims about Mozilla, they never did that, they
>> just give a checklist of cert types, DV, OV, and EV.  If there was a Mother-
>> validated cert type, the list would no doubt have included MV as well.
> 
> I think this is even easier. Kirk linked the article which links to the 
> actual requirements at 
> https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindeststandards/Mindeststandard_Sichere_Web-Browser_V2_0.pdf
> 
> In section SW.2.1.01, it says "Zertifikate mit domainbasierter Validierung 
> (Domain-Validated-Zertrifikate, DV), mit organisationsbasierter Validierung 
> (Organizational-Validated-Zertifikate, OV) sowie Zertifikate mit erweiterter 
> Prüfung (Extended-Validation-Zertifikate) MÜSSEN unterstützt werden".
> 
> Bing Microsoft Translator says the English translation is "Certificates with 
> domain-based validation (domain-validated certrifikate, DV), with
> organization-based validation (Organizational-Validated Certificates, OV) as 
> well as certificates with Extended Validation Certificates MUST be supported"
> 
> This appears to be the only reference to EV in the requirements.  Given the 
> discussion has been around moving the UI treatment of EV to match OV (versus 
> having a distinct EV-only UI treatment, I don't think there is likely to be 
> any impact on the BSI conformance results.

[PW] *Fact* - none of us know. So let’s find out. 

Assuming to know what a customer / stakeholder thinks is a rookie mistake. The 
BSI is a major “implementation” and for that reason, I hope Mozilla offer an 
opinion and to learn more. it’s a great opportunity to find out what their 
perception is. 

This forum is like an unhealthy religious cult where people aren’t open to 
being wrong about anything. Can we try to find common ground - such as our 
desire to help make the web safer. 

- Paul
> 
> Thanks,
> Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

[Paul Walsh via dev-security-policy]

On Oct 18, 2019, at 6:31 PM, Peter Gutmann  wrote:
> 
> Paul Walsh via dev-security-policy  
> writes:
> 
>> I have no evidence to prove what I’m about to say, but I *suspect* that the
>> people at BSI specified “EV” over the use of other terms because of the
>> consumer-visible UI associated with EV (I might be wrong).
> 
> Except that, just like your claims about Mozilla, they never did that, they
> just give a checklist of cert types, DV, OV, and EV.  If there was a Mother-
> validated cert type, the list would no doubt have included MV as well.
> 
> In fact if you're going to go to sheep's-entrails levels of interpretation,
> they place EV last on their list, and it's phrased more as an afterthought
> than the first two ("must support DV, OV, and also EV").
> 
> You're really grasping at straws here...

[PW] Rather than comment on me, perhaps you could indulge us with your 
interpretation. At least I’m open to being wrong. Are you?

Since it does the same thing as DV in regards to encryption, why do you think 
they specified EV?

- Paul

> 
> Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

[Peter Bowen via dev-security-policy]

On Fri, Oct 18, 2019 at 6:31 PM Peter Gutmann via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Paul Walsh via dev-security-policy 
> writes:
>
> >I have no evidence to prove what I’m about to say, but I *suspect* that
> the
> >people at BSI specified “EV” over the use of other terms because of the
> >consumer-visible UI associated with EV (I might be wrong).
>
> Except that, just like your claims about Mozilla, they never did that, they
> just give a checklist of cert types, DV, OV, and EV.  If there was a
> Mother-
> validated cert type, the list would no doubt have included MV as well.
>

I think this is even easier. Kirk linked the article which links to the
actual requirements at
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindeststandards/Mindeststandard_Sichere_Web-Browser_V2_0.pdf

In section SW.2.1.01, it says "Zertifikate mit domainbasierter Validierung
(Domain-Validated-Zertrifikate, DV), mit organisationsbasierter Validierung
(Organizational-Validated-Zertifikate, OV) sowie Zertifikate mit
erweiterter Prüfung (Extended-Validation-Zertifikate) MÜSSEN unterstützt
werden".

Bing Microsoft Translator says the English translation is "Certificates
with domain-based validation (domain-validated certrifikate, DV), with
organization-based validation (Organizational-Validated Certificates, OV)
as well as certificates with Extended Validation Certificates MUST be
supported"

This appears to be the only reference to EV in the requirements.  Given the
discussion has been around moving the UI treatment of EV to match OV
(versus having a distinct EV-only UI treatment, I don't think there is
likely to be any impact on the BSI conformance results.

Thanks,
Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser

[Peter Gutmann via dev-security-policy]

Paul Walsh via dev-security-policy  
writes:

>I have no evidence to prove what I’m about to say, but I *suspect* that the
>people at BSI specified “EV” over the use of other terms because of the
>consumer-visible UI associated with EV (I might be wrong).

Except that, just like your claims about Mozilla, they never did that, they
just give a checklist of cert types, DV, OV, and EV.  If there was a Mother-
validated cert type, the list would no doubt have included MV as well.

In fact if you're going to go to sheep's-entrails levels of interpretation,
they place EV last on their list, and it's phrased more as an afterthought
than the first two ("must support DV, OV, and also EV").

You're really grasping at straws here...

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy