Eddy Nigg (StartCom Ltd.) wrote: > Frank Hecker: >> I agree with your general point, namely that we should start doing >> better tracking of audit dates, particularly for EV audits. However I >> don't know at this point what would be appropriate in terms of setting >> timeframes for when an audit would be considered to be out of date. <snip> > Then there is only one answer for this: *The EV criteria!* Apply the EV > guidelines according to what it says.
The problem is that while the EV guidelines contain an explicit requirement for annual audits, they don't dictate things like the length of the grace period that browser vendors should give CAs once their audits expire. In fact, it's not even clear from the EV guidelines exactly when an audit "expires"; for example, should we count from the end of the period for which the audit applies, from the date that the audit report was actually issued, or from some other date? >> It's not clear to me why we would need this. > No? :-) To be clear, I agree with you that we should remove our "EV blessing" from CAs that don't meet the EV guidelines requirement for annual audits. When I wrote the sentence above, what I meant is that I didn't understand why we needed a special mechanism (in NSS, Firefox, or wherever) just to turn off EV capability for CAs, when we already had a general-purpose mechanism to do automated updates for any sort of security issue. >> Second, we already have the ability to quickly update Firefox (or >> SeaMonkey, or Camino) through the normal security update mechanism. > > Mhhh...that might be a lot of annoying updates quickly to come, if we > adhere to the EV criteria...Which in itself doesn't guaranty that users > update their software. I think there should be something better than > that, seriously. First, if and when we do have to turn off EV for CAs, we don't need to do it one by one. We can simply schedule such changes for the normal security update cycle, and batch changes for multiple CAs into a single update release. Second, the security updates are very effective in terms of getting changes out to users. For example, for Firefox 2 we got 90% of all users upgraded within a week of releasing a new Firefox 2.0.0.x update, and overall got ~95% penetration for the updates: http://blog.mozilla.com/security/2007/06/18/time-to-deploy-improvement-of-25-percent/ http://arstechnica.com/news.ars/post/20070518-firefox-users-lead-the-way-in-keeping-up-to-date.html Since the automated update mechanism is turned on by default in Firefox, I suspect that almost all of the people not getting automated updates are those that have turned it off themselves, or whose organizations have turned it off for them, presumably out of a distrust of automated updates in general. Those same people would likely turn off other features that automatically contacted Mozilla for updates. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
