Eddy Nigg (StartCom Ltd.) wrote: > Well, you said: "If anyone wants to double-check my conclusions above > please feel free; I could use some help with this." > > So I asked in reply what the time frame is...as *you* know, it takes > quite some time to go through just the basic informations, verify some > of it, make notes and follow up on stuff which isn't clear...me willing > to help and spare some time for this, but it really somewhat depends on > how much time we've got.
Ah ok, my apologies for not understanding the context of the question. I'll give you a two-part answer regarding where I could use help, and when: First, we need to reach a consensus on what to do about CAs audited under the draft WebTrust EV criteria. AFAICT right now if we applied our policy strictly we wouldn't have any CAs that comply with it, and may not have any for some time to come (per my point below). However it's not clear to me a) if the differences between the draft WebTrust EV criteria and the final WebTrust EV criteria are actually that significant, and b) if they are significant, to what extent they're security-relevant. (Because after all our ultimate concern is users' security, not guidelines and criteria per se.) This is where I could use help from people more familiar with the nitty-gritty details of the WebTrust EV criteria and the underlying EV guidelines. If the differences really aren't that relevant from a security perspective then arguably we should consider a provisional approval scheme like I mentioned earlier. We aren't talking about the case of "audited" vs. "not audited"; all the CAs in question have been audited, albeit under slightly different criteria than in our current policy. Also, a CA that got audited prior to 2007/09/30 (when the final WebTrust EV criteria went into effect) is not instantly going to re-do its audit; for reasons of cost and other factors it's typically going to wait for the next audit cycle. This introduces a fair amount of (IMO) unnecessarily arbitrary variation in when CAs are able to get approved for EV in Mozilla products. In any case, IMO we need to resolve this issue one way or another very shortly, because it affects everything else related to consideration of the outstanding EV requests. Second, we need to triage the EV requests to see which are most suitable for consideration right now. For example, we might privilege cases where the root in question is already in NSS/Mozilla and just needs upgrading for EV, since we can leverage work already done for the original approval. Here I could use help both to do the triage and also to follow up and get the relevant questions asked and answered regarding the CAs we're looking at first. Does this help answer your question? Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
