CA policy and EV

Eddy Nigg (StartCom Ltd.) Tue, 09 Oct 2007 12:51:36 -0700

This post is about bug reports 383183 and 398944 and the relation of EV 
certificate support in the UI (and to a lesser extend in the NSS 
library) and the Mozilla CA policy 
(http://www.mozilla.org/projects/security/certs/policy/).


Currently the Mozilla CA policy doesn't define EV's minimum 
requirements, acceptable criterion or "trust bits". In fact the policy 
currently supports only three types of certificates:

    * SSL-enabled servers,
    * digitally-signed and/or encrypted email, /or/
    * digitally-signed executable code objects;


The policy doesn't define _any_ distinction between certificates as such 
beyond the types mentioned above.
Neither does the policy define the criteria if, when and how a 
certificate should be treated differently (as suggested for EV 
certificates) in the UI.
Neither does the policy define minimum requirements for EV (section 7).
Neither does the policy define the criteria for CA operations for EV 
(section 8).
Section 14 of the policy doesn't support EV.

Currently ANY/NO certification authority with a root certificate in the 
NSS CA in the Authorities DB might be eligible to issue EV certificates 
- or not - according to this policy. EV support should not be enabled 
anywhere in Mozilla products until a binding policy governing EV 
certificate support is defined and/or the Mozilla CA policy is modified 
in that respect.

In relation to bug 398944 the policy requires CAs to submit a request 
themselves (section 5 and following) and decisions are taken through a 
public process (section 2). More than that I was told that the CAB forum 
refused or is unable to provide a list of "so called" EV issuing CAs. I 
suggest to close bug 398944 because the bug is simply not relevant nor 
doable from a practical point of view in addition of not being compliant 
with the Mozilla CA policy.


-- 
Regards 
 
Signer:         Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:         [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog:   Join the Revolution! <http://blog.startcom.org>
Phone:          +1.213.341.0390
 

_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

CA policy and EV

Reply via email to