This post is about bug reports 383183 and 398944 and the relation of EV certificate support in the UI (and to a lesser extend in the NSS library) and the Mozilla CA policy (http://www.mozilla.org/projects/security/certs/policy/).
Currently the Mozilla CA policy doesn't define EV's minimum requirements, acceptable criterion or "trust bits". In fact the policy currently supports only three types of certificates: * SSL-enabled servers, * digitally-signed and/or encrypted email, /or/ * digitally-signed executable code objects; The policy doesn't define _any_ distinction between certificates as such beyond the types mentioned above. Neither does the policy define the criteria if, when and how a certificate should be treated differently (as suggested for EV certificates) in the UI. Neither does the policy define minimum requirements for EV (section 7). Neither does the policy define the criteria for CA operations for EV (section 8). Section 14 of the policy doesn't support EV. Currently ANY/NO certification authority with a root certificate in the NSS CA in the Authorities DB might be eligible to issue EV certificates - or not - according to this policy. EV support should not be enabled anywhere in Mozilla products until a binding policy governing EV certificate support is defined and/or the Mozilla CA policy is modified in that respect. In relation to bug 398944 the policy requires CAs to submit a request themselves (section 5 and following) and decisions are taken through a public process (section 2). More than that I was told that the CAB forum refused or is unable to provide a list of "so called" EV issuing CAs. I suggest to close bug 398944 because the bug is simply not relevant nor doable from a practical point of view in addition of not being compliant with the Mozilla CA policy. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security