Hi All,
The extended validation (EV) criteria requires yearly re-auditing of the
CA. Without this requirement a CA does not conform to the EV criteria. I
wanted to ask, how we at Mozilla govern this requirement, which
procedures are in place for receiving and reviewing the yearly audit
reports.
If no such procedure is defined yet, I want to suggest to define that
now, since we have already included and upgraded a bunch of EV capable
CAs. I also suggest that we setup a page similar to the pending/included
pages (at the same location) with a table for the corresponding years
(like 2007,2008,2009 etc...) which would allow to control and follow the
audit reports. Perhaps each CA should have an entry from which date the
original audit is and when the next audit is due. I would also suggest
to define a temporary period of 2 month, in which time the audit may be
pending before taking action.
Which leads me to a different suggestion, that NSS should have an option
to pull EV status dynamically without waiting for an update of NSS in
the software and require an update of the browser. The approval and
commitment by Mozilla of the EV criteria, implies a sufficient mechanism
that should be in the code to allow NSS and software relying on NSS to
positively adhere to EV, otherwise we might be in a problem very soon.
Additionally, CAs which are not likely to adhere to this requirement (of
re-auditing) or suspected thereof should confirm their intentions in the
bug. I don't suspect CAs like Verisign to fall under these, however some
smaller CAs might be suspected of that. There is no point in applying EV
for a CA, if after a year the audit isn't renewed. Please note that
Microsoft has such capabilities and they are enforcing it.
(Critical Note: I have the feeling that Mozilla rushed into providing
support for EV in Firefox without following through in the code and
controlling procedures and without taking into account all implications.
And no, this is not a rant against EV, but shows a critical shortcoming
on our (Mozilla) part. Effectively there might be CAs when Firefox 3 is
released which do not conform to the EV criteria!)
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
