I've filed a bug against myself (399214) to update the current Mozilla CA certificate policy to address the issue of "extended validation" certificates. Part of that process involves public discussion of exactly what changes need to be made. Here are some quick thoughts of my own; note that these are somewhat tentative, but I'm putting them out here to get feedback.
First, just to review: Now that the CAB Forum has published version 1.0 of the EV guidelines: http://www.cabforum.org/EV_Certificate_Guidelines.pdf we've had a number of CAs asking for their root CAs to be marked as capable of issuing EV certificates, so that they can be accorded any special UI present in Firefox 3 and related products to display identity information in SSL certs. (See for example bugs 398944 and 383183.) However just as we have a formal policy for deciding whether to add a particular root CA certificate for "normal" use, we should also have a formal policy for marking a root CA's certificate as EV-capable (as noted by Eddy Nigg and others). As noted in the bug, I think an EV-enabled root CA cert is simply a special case of root CA certs in general, so we don't need a whole new separate policy. At the same time I don't want to revise every section of the existing policy, and if possible I'd like to avoid changes that necessitate renumbering and reorganizing the current sections of the policy. I'm therefore leaning toward having an EV addendum to the policy, and putting all the EV-related stuff there. Then we could simply modify section 6 ("We require ...") to add an additional paragraph pointing to the addendum. This would result in a version 1.1 of the overall Mozilla CA cert policy. In terms of the addendum itself, obviously we can reference the CAB Forum guidelines document (formally, "Guidelines for the Issuance and Management of Extended Validation Certificates, Version 1.0") as the governing criteria. There's a broader question of whether in theory we could or should accord "EV-style" treatment to CAs that don't strictly speaking conform to the guidelines, but conform to other guidelines deemed to be equivalent. I'd like to declare that question out of scope for now, as there's no obvious candidates today for alternative guidelines (at least AFAIK). In terms of audits associated with "EV-ness", I'm a little unclear on what other documents need to be referenced. Section J of the EV guidelines spells out the high-level audit requirements: basically either go through the WebTrust EV process or a process deemed as equivalent by the CAB Forum. There's a document "WebTrust for Certification Authorities - WebTrust Extended Validation Audit Criteria" on the CAB Forum web site; however it's marked as draft and the guidelines themselves don't mention it by name AFAICT. (The guidelines instead use the term "WebTrust EV Program".) My initial conclusion is that we don't need to reference the WebTrust draft document, but can confine ourselves to referencing the relevant section(s) of the guidelines. Finally, I'm open to suggestions on other possible changes to the Mozilla CA certificate policy unrelated to EV certs. However I reserve the right to postpone such consideration of such changes to a future version of the policy (e.g., 1.2) if there's no immediate strong consensus on the need for any such change and the associated "patch" to the policy itself. My primary goal is to address the EV-related policy changes, and to do so as expeditiously as possible. Anyway, if you have comments on this general topic please feel free to post them here. In the meantime I'll work to come up with an initial draft of proposed changes to the policy text, and will post that to the bug when done. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
