Robert Relyea wrote: > Draft 11 was proposed as a standard in Oct 2006 in order to meet the > deadline for inclusion in Vista. Mozilla abstained on that vote due to > the closed nature of the spec (it was not publicly available at the > time). Objections to the draft up to that point was mainly that it was > too restrictive.
You've jogged my memory, that's my recollection as well: that some of the stuff in draft 11 was seen as unnecessary in practice, and CAs wanted some relief on specific points. If that's the case then that bolsters the argument that accepting audits against draft 11 doesn't represent a real issue in terms of user security. > I would be OK with accepting validations started before June 12, 2007 > based on Draft 11. Webtrust's chart indicates that their validations > switched to 1.0 immediately on it's approval by the CAB (including > mid-evaluation for those that weren't completed before June 12, 2007). That's somewhat at variance with the statement on the CAB Forum web site, that the final WebTrust EV criteria were effective September 30, 2007. But I don't think we need to parse the dates that closely. My proposal would rather be just to accept all valid WebTrust EV audits, whether against the draft or final criteria/guidelines, for all CA EV applications submitted before a certain date. To allow for any additional applications that come in, I'd set the date at some point in the future, maybe July 1 2008; after that we'd revert the policy to specify the final criteria and guidelines only, to emphasize that the drafts are obsolete and deprecated. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
