beltzner wrote:
If StartCom can follow the EV guidelines for cheaper, they stand to make a killing. I don't get what upsets you about this, Eddy. The market will adjust. Believe in it. It's just that now the market will be guided by standard guidelines for how to do validation and offer repudiation, revocation and let users find the actual certificate holder.
Just to be clear: Eddy can't offer EV certificates because a Webtrust audit is a condition of membership for the CA/Browser Forum, and Startcom doesn't have one. (The Mozilla CA Certificate Policy accepts various equivalents to a Webtrust audit, which is how Startcom is included in our root store.)
Even if he had a Webtrust audit, he would also need a Webtrust EV audit to audit his EV procedures, which would also cost money. But this is a cost borne by all CAs who wish to offer EV.
I point these things out to make the situation clear, not because I necessarily think they are unfair. However, it would certainly be possible for the Mozilla Foundation to lobby for a change in the CA/Browser Forum membership rules, should it choose to do so. I wouldn't be able to comment on the likelihood of our succeeding.
Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security