Yesterday and this morning I attended a CA/Browser Forum meeting in San Francisco. Here are some highlights:
- The Forum voting rules were changed. For votes which affect the contents of the Guidelines, then we will use an IETF-like system where there is a 5-day review period and then a 7-day vote, with 66% of CAs and 50% of browsers voting having to approve for the motion to pass. For other votes, a simple majority of organisations represented is sufficient. - Following a day's discussion and amendments, and a few more the following morning, those present passed a motion that Draft 17 (as it will be) be formally voted on to see if the Forum agrees it should be version 1.0 of the Guidelines. The new voting rules will be used. The review period ends on 10th May at 12pm PST; the voting period therefore ends at the same time on 17th May. If passed, the guidelines will be immediately binding. - The last three drafts are available here: http://www.mozilla.org/projects/security/certs/ev/guidelines-draft-15.doc http://www.mozilla.org/projects/security/certs/ev/guidelines-draft-16.doc http://www.mozilla.org/projects/security/certs/ev/guidelines-draft-17.doc The Guidelines are maintained as a .doc file (sorry). The draft 15 change markers show changes relating to many of our comments, those for draft 16 show the changes made on the first day of the meeting, and those for draft 17 relate to the second day. - I have updated the wiki page with my comments on each issue which was raised by us, and how it has been dealt with (or not). http://wiki.mozilla.org/User:Johnath/EVDraft13ReviewComments - We need to decide whether this draft is good enough to be version 1.0, or whether there are still things we object to strongly enough to require further changes. - I proposed a motion, which passed unanimously, to admit CAs who only have an ETSI audit to the CAB Forum. This brings the requirements for Forum membership broadly in line with the criteria for admission to the Mozilla root store. (An X9.79-1 audit alone will not get you into the Forum, but I don't know any CA which just has one of those.) This is a separate issue from allowing CAs with only an ETSI audit to take and pass an EV readiness audit, and issue EV certificates - but the auditors and WebTrust representative present at the meeting indicated their willingness to a) look at how equivalent the two are, and b) see whether we can separate the WebTrust EV audit criteria out so that other auditors could audit against them. So progress has been made there too. - The CAB Forum is considering eventually taking the Guidelines to a standards body (although not immediately). Two have been suggested as possibly appropriate - ICANN and the ISO. Suggested ISO subcommittees were SC27 WG3, authors of the Common Criteria and SC2 (Financial Services Security). We should decide whether we would like to suggest other appropriate bodies. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
