Eddy Nigg (StartCom Ltd.) wrote:
1.) As mentioned already on the list, extension to individuals in some
form would be indeed interesting.
That is currently being worked on, as I understand it.
2.) Under section C. 4. (a) Compliance:
It is not fully clear to us, how approval by the CA/Browser Forum is
preformed and how equivalent of the WebTrust programs are defined. In J.
(a) 1) it says "/or a currently valid unqualified opinion indicating
compliance with equivalent audit procedures approved by the CA/Browser
Forum/", but this unqualified opinion is nowhere defined?
This is shorthand; it means "the opinion of an auditor qualified to
perform WebTrust audits". I will get that clarified.
Also
membership at the CA/Browser forum is currently an exclusive club of
CA's,
...and open to any CA which has roots in major browsers and issues
certificates to the public.
but we'd like to know if issuance of EV certificates is a
requirement for membership or can there be membership without actively
issuing EV certificates?
You do not have to issue EV certs to be a member. EV is not the only
issue the CA/Browser forum plans to tackle.
It is regrettable, that there is explicitly
the mentioning of "WebTrust" instead of "a neutral and competent 3rd
party" or allow for alternatives such as ETSI. This monopoly isn't
really healthy and doesn't reflect the Mozilla CA policy!
It does allow for alternatives; it says "or an equivalent for both (i)
and (ii) as approved by the CA/Browser Forum;". We can't just say "a
competent 3rd party"; that just begs the question as to who would define
"competent"?
If you would like particular alternatives explicitly named, we may be
able to do that. Please let me know exactly what.
Additionally
we'd suggest to make sure, that CA's approved and included by a minimum
of one or two software vendor's software will be able to issue EV
certificates (according to the guidelines) and accepted as such by the
relevant software vendors - including the listing of the CA in CA/BF,
even if a CA is not present in some of the (other) software vendors.
I don't quite understand your point here. But nothing in the guidelines
affects each browser maker's independent ability to decide which certs
and CAs it accepts or recognises.
3.) Under section C. 4. (c) Insurance:
The draft mentions two different insurances with 2 million, resp
5 million US$ coverage. However it doesn't say, if this insurances are
for all the CA business or only for the EV certificates.
4) c) 1) says "related to their respective performance and obligations
under these Guidelines"; so it's just for EV.
4.) Also not clear is, how the software vendor "knows" about, if a
certificate is EV. We understand, that CA roots and Intermediate CA
signer certificates can be marked as EV issuers, however Intermediate CA
lifespan is usually lower than the root certificate of the CA, in our
case valid for 5 years. Does software vendors have to manage a list of
CA signer certificates which are EV issuers? How does Mozilla intend to
handle/manage that?
EV certs will have a new policy OID to differentiate them from other
certs. I am not certain of the technical details; it's not my area. Of
course, any browser maker may override this for a particular CA if they
feel that CA does not, in fact, meet EV guidelines (for example, if they
fail an audit).
Obviously a very small number of businesses will
acquire EV certificates,
Why is this obvious?
but somehow discriminates other properly
verified and serious certificates issued, making them "less" valued,
which we think is wrong! When the idea was first published, we expected,
that certificates would be more divided into categories, such as Class 1
- 4, or in other words:
1) Domain validated only,
2) Reasonable verification of the identity/business,
So is "reasonable" verification good enough for a user to hand over
their credit card details? If so, what's the point of level 3? If not,
what's the point of level 2?
3) Thorough verification if identity/verification,
4) Government authorized or issued, or similar to EV,
reflecting the status by different colors. This would give the user more
indications about the status of the certificate without being a PKI
expert.
Except that they would have no clear guidance about what actions they
should take based on those colours. Should they, for example, only buy
from a merchant with a Level 2 certificate if they are feeling
particularly lucky that day?
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
