What's the time frame for this? I've seen already a few things worth commenting, but thought after your first message to follow up on it after you are ready...
Frank Hecker wrote: > Frank Hecker wrote: > >> The first step is getting a complete list of all >> current EV-related CA requests. I believe the following is the complete >> list, based on searching bugzilla: >> > > Here's a quick take on each request. The principal parameters I looked > for are as follows: > > * Is this request for an existing root to be upgraded for EV, or for a > new EV-enabled root to be added. > > * What version of the EV guidelines does the CA claim compliance to? > > * What type of audit was done? For example, was this done using the > draft WebTrust EV criteria? Final webTrust EV criteria? Something else? > > The last two points are connected, in that the draft WebTrust EV > criteria reference the draft 11 EV guidelines, while the final WebTrust > EV criteria reference the final 1.0 guidelines. > > >> * Secomtrust (394419) >> > > Request to upgrade two existing roots for EV, and add a new EV root? > (This is not 100% clear from the bug, based on the original description > vs. comment #6.) Audit was done against draft WebTrust EV criteria. > (Note that there was apparently one issue with the audit, as noted in > the report.) > > >> * Comodo (401587) >> > > Request to upgrade 11 existing roots for EV, and add one new EV root. > Audit was done against draft WebTrust EV criteria (I think). (This is > not exactly clear from the bug or the report.) > > >> * VeriSign (402947) >> > > Requests addition of new VeriSign EV root (though the bug also mentions > Thawte and GeoTrust roots -- see also below). Audit was done against > draft WebTrust EV criteria. > > >> * Valicert/Starfield/Go Daddy (403437) >> > > Request to upgrade three existing roots for EV. Audit was done against > draft WebTrust EV criteria. > > >> * Digicert (403644) >> > > Request to upgrade an existing root for EV. Audit was done against draft > WebTrust EV criteria (I think). (This is not exactly clear from the bug > or the report, but inferred from the date of the report.) > > >> * QuoVadis (403665) >> > > Request to upgrade an existing root for EV. Audit was done against draft > WebTrust EV criteria. > > >> * Network Solutions (403915) >> > > Request to add a new EV root? (As noted in comment #2, this is not clear > from the information supplied.) It's not clear from the bug whether a > WebTrust EV audit has been done; the referenced audit appears to be for > vanilla WebTrust. > > >> * GlobalSign (406796) >> > > Request to upgrade an existing root for EV, and add a new EV root. (At > least this is how I interpret it.) Audit was done against the draft > WebTrust EV criteria, audit report is not available on the web. > > >> * Thawte (407163) >> > > Request to add a new EV root. It's not clear from the bug whether a > WebTrust EV audit has been done; the referenced audit appears to be for > vanilla WebTrust. > > >> * GeoTrust (407168) >> > > Request to add a new EV root. It's not clear from the bug whether a > WebTrust EV audit has been done; the referenced audit appears to be for > vanilla WebTrust. > > >> * Trustwave (409837, 409838, 409840) >> > > (Aka SecureTrust, aka XRamp) Requests to upgrade an existing (XRamp) > root for EV, and add two new EV roots. (At least this is how I interpret > it.) I'm not sure whether the audit was done against the draft WebTrust > EV criteria or the final WebTrust EV criteria; this is not 100% clear. > > >> Next step is figuring out the basic parameters for each request. >> > > If anyone wants to double-check my conclusions above please feel free; I > could use some help with this. > > One more parameter worth looking at is whether the audits were done > prior to the CA offering EV certs (which I think is what people mean by > a "readiness audit") or whether they reflect actual operational > experience in issuing EV certs. I noted this for a few CAs, but haven't > yet done an exhaustive check on all the CAs above. > > Note that all (or almost all) of the audits done were apparently against > the draft WebTrust EV criteria and not the final WebTrust EV criteria. > Our policy references the final WebTrust EV criteria, which had recently > been adopted when we revised the policy. It's an open issue whether we > want to revisit that choice, at least on a provisional basis. For > example, we could provisionally approve a CA for EV based on an audit > against the draft criteria, on condition that the next audit be against > the final criteria. Otherwise I'm not sure we'd have any EV-capable CAs > at all in Firefox 3. > > Frank > > -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
