Hi Gerv,
You are continually damaging your credibility in this discussion
Thank you for taking care of my creditability!
Right, to all _my knowledge_ it was mostly drawn up by Kelvin Yiu of Microsoft. However nobody can explain the relationship between Kelvin and other CAs including Verisign or any business relationship or interest between Microsoft and Verisign which might exist. In itself maybe not a problem, weren't we talking about the two biggest interest groups in the EV forum! And I remain highly suspicious on the intend of the whole thing after all...Why wasn't it drawn up by somebody *known* not to have any financial and other hidden interests?I can state with certainty that Verisign did not "write most of the EV guidelines".
Yes, somebody pointed this out already...But this shows perhaps again, that recommendations are pretty useless and perhaps only the "must" and "required" language should be used and everything else omitted. This makes it perhaps easier to read, but now we might comb through the guidelines and find all the "recommendations" and see with what we are really left!That just isn't true. Section 8 a) of the EV Certificate Guidelines gives the maximum validity period as 27 months. It recommends 12, but that is only a recommendation.
Don't you think, that the statements above contradict each other? You are saying that the EV guidelines are not approved yet by the forum and are still a draft, but audits are undertaken and certificates issued already!? Now the creditability of whom is here at stake?Except that they haven't been approved yet.The audit criteria are up on the cabforum.org website; all you need is a suitable auditor willing to audit you. Given that several CAs are offering EV certs now, they must have had the audits done. Therefore your assertion is clearly wrong.
I assumed, that if certificates are issued already, the guidelines must have been approved and audits already performed. This however doesn't seem to be the case...and what happens if the guidelines still change? Re-audit? Revoke and re-issue all certificates? In short, perhaps this is not the proper way of implementation...
Eddy, if we are destined to forever disagree on this, so be it. But I can tell you for absolute certain that we are _not_ going to put Firefox users in a position of having to know and evaluate the relative trustworthiness of (or practices of) 50 different CAs, and the relative strengths of different encryption algorithms and key sizes, in order to work out whether a particular site is (relatively) safe to do business with.This is not what I suggested! Again, what I suggested is to provide basic information about the certificate to the user in a most convenient way (such as mouseover and/or one-click action) should the user be interested in it. Additionally by making the padlock area more prominent , by displaying the organization name, locality and country and some highlight color perhaps, it would draw the attention of the user to it. In this way the browser might help the user provide the important information better....
Actually, it has been your strategy since the existence of Mozilla, minus the "throwing" of information at the user. Currently the casual user has not much else to do than making up their mind - without much information. My intention is, to improve that a bit...But you suggest still, that the user can't make a decisions whatsoever and can't read basic details of a SSL/TLS secured web site. You also insist in keeping it this way, by providing a distinctive color for EV and nothing else! No improvement of other shortcomings!"Throw all the information at the user and let them make up their own mind" is not going to be our UI strategy.
It also seems to me, that whatever argument critical, negative or not in favor of EV made by a participant on this list, is simply rejected by you! So we might never agree with each other in that respect, but please let me explain to others what I think would be the best for the Mozilla browser. I believe that others are actually listening....
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390 -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390 -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
