[Important note: this discussion is taking place in
mozilla.dev.security; please respect the Followup-To: header.]
For some time, the Mozilla Foundation has been taking part in a group
called the CA/Browser Forum (CABF), an association of the major
public-facing CAs and all the major browser-makers except Apple. See
http://www.cabforum.org/ , which went up recently.
Currently, there is no minimum level of validation which is done before
a certificate is issued, leading to the existence of "domain control
only" certificates, which have no information in them about the party to
whom they are issued. Such certificates have some uses, but are not
recommended for e-commerce. Other CAs claim to do more vetting -
however, their methods are trade secrets and there is no
standardisation. However, the current browser presentation of all
certificates is the same padlock icon.
The aim of the group is to develop a new, higher standard for the
validation which is done before certificate issuance, called Extended
Validation. The idea was that such certs would be presented differently
in the UI, to give the CAs a reason to go to the extra effort, and to
give customers a reason to buy them. In IE 7 at least, the use of an EV
certificate is tied to the green background in the URL bar.
The Foundation representatives have so far not made a commitment to the
CABF on the exact timing or nature of our support for EV. This includes
the UI.
The guidelines have been developed via a very long and drawn-out
process, including several face-to-face meetings with competing
specifications from different groups of CAs over the past two years.
Eventually and quite recently, a Microsoft employee synthesised a
unified specification, which has now been made available for public
comment. The latest draft of this document can be found here:
http://www.cabforum.org/EV_Certificate_Guidelines_-_Draft_10-2...pdf
The Mozilla project as a whole needs to decide whether EV will make a
material difference to the reliability of information in certificates
and, if so, whether that warrants a different UI presentation for EV
certificates. It would also be good to have a more general discussion
about how we present security information to users.
All comments welcomed. Ideally, I would be able to give any feedback to
the editor before November 19th, after which there may be another vote
on adopting the updated specification. If you have any questions about
the process or the CABF, please ask.
Gerv
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto