On Wed, Sep 10, 2008 at 4:48 AM, Rob Stradling <[EMAIL PROTECTED]> wrote:
> > I see that Chrome already has some support for EV SSL Certificates - > for HTTPS sites that it recognizes as EV, Chrome displays the company > name in green text in the address bar. I have a number of related > questions... > > 1. Do Google, as a browser creator, intend to join the CA/Browser > Forum (http://www.cabforum.org) ? > This is something we will have to discuss internally. I'm aware of CA/B Forum and the work that goes on there. > > 2. How can a CA get their Root Certificate i) added to Chrome's list > of Trusted Root Certificates, and ii) trusted for EV in Chrome? What > are the technical requirements, audit requirements, etc? Are these > instructions published anywhere? We use Windows' cert store, so if you're already in Windows' cert store as a root CA you should be fine. Re: EV, unfortunately this is something that the OS doesn't handle (AFAIK) so we handle this ourselves. If you're in Firefox or IE as an EV root then we will consider adding you as an EV root, if you're in neither chances are not good that we will add as an EV root in Chrome. > > > 3. Chrome on Windows appears to rely on the certificates found in the > Microsoft Trusted Root Certificate Store, but has its own list of EV > Policy OIDs (in net/base/ev_root_ca_metadata.cc). Having done that, > why didn't you use the EV Policy OID metadata built in to the > Microsoft Trusted Root Certificate Store instead of creating your own > list? Do you have a pointer to any documentation on this? I'm not sure if we knew it existed to be perfectly honest. > > > 4. How did you decide which CAs' EV Policy OIDs to add to the current > version of ev_root_ca_metadata.cc? It looks suspiciously like > Mozilla's list, but with those Root Certificates not also present in > the Microsoft Root Certificate Program removed. Am I right? > Without getting too deep into policy, that's probably an accurate reflection of the current state of the list. > > 5. What Root Certificates will Chrome on Mac and Linux trust, since > the Microsoft Trusted Root Certificate Store is Windows-only? Why > didn't you use Mozilla NSS's Root Certificate DB instead, since NSS is > already cross-platform? (And then, why not use Mozilla PSM's list of > EV Policy OIDs instead?) We want to do what's native on the platform. For windows, that meant using the windows certificate store. For linux we will likely use NSS. > > > 6. The EV UIs in IE7, Firefox 3 and Opera 9.50 all display a "green > bar" - either the entire address bar goes green, or the company name > is displayed on a green background. Why have you apparently decided > to have no "green bar" for EV in Chrome? Green bar may appear in Chrome some day, it may not. It wasn't a high priority thing - I don't think it really adds much value. What it tells you is that a site went through an extended validation process, but that's really not that meaningful in my opinion - the meaningful part about EV is that you have a verified identity. That we do call out, by showing the company name (in green). Telling someone to "look for the lock" is not really great advice, because anyone can get a certificate and "get the lock". Similarly, I don't think that telling someone to "look for the green bar" is good advice, because anyone can get the green bar by going through the validation process and supplying truthful information. (granted, it's a slightly higher bar, but by no means insurmountable). The valuable thing is to tell someone to look at the identity information provided and validate that information against their expectations. E.g. if I see "DeutscheBank [DE]" or "Bank of America [US]" that's valuable for me. Just seeing a green bar is not in and of itself valuable. That's not to say that we will never add the green bar, but I'm not in a rush to add it in either. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Chromium-dev" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-dev?hl=en -~----------~----~----~----~------~----~------~--~---
