Frank Hecker:
I agree with your general point, namely that we should start doing
better tracking of audit dates, particularly for EV audits. However I
don't know at this point what would be appropriate in terms of setting
timeframes for when an audit would be considered to be out of date.
Does Mozilla adhere to the EV criteria?
Did Mozilla approve and vote for this criteria?
Does Mozilla (visually and otherwise) signal to the user that a CA is EV
capable and issued the certificates according to the EV criteria?
Then there is only one answer for this: *The EV criteria!* Apply the EV
guidelines according to what it says.
As implied in my previous message, I've noticed that currently there can be
delays of several months from the time an EV audit is completed to the
time that the report is actually published and available for us to review.
This is perhaps not a problem of the CA nor of the relying parties. As I
stated in the previous mail, if Mozilla itself can't adhere to its own
requirements, we will be in trouble very soon.
It's not clear to me why we would need this.
No? :-)
First, it's not NSS that
determines whether a CA is treated as an EV-capable CA or not; that
determination is made in the PSM code, which is considered part of the
Firefox code (or SeaMonkey, or Camino, or whatever -- AFAIK they all
share the PSM code, which is part of the overall set of shared browser
code).
OK...I refer usually to NSS concerning everything related to
certs...sorry, my mistake.
Second, we already have the ability to quickly update Firefox (or
SeaMonkey, or Camino) through the normal security update mechanism.
Mhhh...that might be a lot of annoying updates quickly to come, if we
adhere to the EV criteria...Which in itself doesn't guaranty that users
update their software. I think there should be something better than
that, seriously.
Firefox security releases are typically done every month or two, and are
sometimes done more frequently if needed to address unexpected and
critical security vulnerabilities. But having an EV audit become
obsolete is not unexpected at all, since we can predict when it will
occur. So if we want to turn off EV capability for a CA at some future
date, we can simply schedule a change to do that as part of the normal
Firefox update cycle.
OK, this would go for the meantime, however I still suggest to search
for better solutions if possible. Too many updates have their drawback
as it was noted in other lists and isn't encouraged really. Besides that
I'm not sure how you (and others) would evaluate the situation to push
through with an update because of an obsolete EV audit (and a CA has to
be removed). As I indicated we should define a temporary period during
which time a CA hasn't a valid audit and during which time we can ping
the CA and have them submit the audit accordingly. This temporary period
would also allow to schedule a removal of the status from PSM.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
