-------- Original Message -------- Subject: Re: [Fwd: Re: EV guidelines] Date: Sun, 04 Feb 2007 23:25:28 +0100 From: Iang <[EMAIL PROTECTED]>
> Good catch! More than that, it was signed and issued long before the EV > guidelines were approved (How could they know what the guidelines will > be?). And even more disturbing is the fact, that the certificate is > valid for a period of _two_ years, whereas the guidelines speak strictly > about _ONE_ year only!!!! And now to all the EV supporters: Isn't EV > already flawed by the biggest certification authority? Last night I was reading the new Auditor's guidelines. One thing I discovered was that if the root key for EV was issued *before* the release of the EVG, it becomes acceptable as is. Grandfathered, in the lingo. If it is issued *after* the EVG, it has a dramatically enhanced regime, including having to be issued in front of the auditor, and a special report issued! Much more cost, and delay and etc etc. See 35(e) on page 41. You are supposed to video the proceedings !! So, those who waited for the publication of the guidelines, assuming that EV wasn't valid or even creatable until the guidelines were published, were ... tricked ;) Another odd sidenote is that a POBox is not an acceptable address (EVG 16, C#6.1). This then rules out the CIA, which apparently has its people working out of POBoxes in Langley and then flying off to Europe for extraordinary renditions... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Because e164.arpa is a tax on VoIP "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
