Eddy Nigg (StartCom Ltd.) wrote: > The extended validation (EV) criteria requires yearly re-auditing of the > CA. Without this requirement a CA does not conform to the EV criteria. I > wanted to ask, how we at Mozilla govern this requirement, which > procedures are in place for receiving and reviewing the yearly audit > reports. > > If no such procedure is defined yet, I want to suggest to define that > now, since we have already included and upgraded a bunch of EV capable > CAs. I also suggest that we setup a page similar to the pending/included > pages (at the same location) with a table for the corresponding years > (like 2007,2008,2009 etc...) which would allow to control and follow the > audit reports. Perhaps each CA should have an entry from which date the > original audit is and when the next audit is due. I would also suggest > to define a temporary period of 2 month, in which time the audit may be > pending before taking action.
I agree with your general point, namely that we should start doing better tracking of audit dates, particularly for EV audits. However I don't know at this point what would be appropriate in terms of setting timeframes for when an audit would be considered to be out of date. As implied in my previous message, I've noticed that currently there can be delays of several months from the time an EV audit is completed to the time that the report is actually published and available for us to review. > Which leads me to a different suggestion, that NSS should have an option > to pull EV status dynamically without waiting for an update of NSS in > the software and require an update of the browser. It's not clear to me why we would need this. First, it's not NSS that determines whether a CA is treated as an EV-capable CA or not; that determination is made in the PSM code, which is considered part of the Firefox code (or SeaMonkey, or Camino, or whatever -- AFAIK they all share the PSM code, which is part of the overall set of shared browser code). Second, we already have the ability to quickly update Firefox (or SeaMonkey, or Camino) through the normal security update mechanism. Firefox security releases are typically done every month or two, and are sometimes done more frequently if needed to address unexpected and critical security vulnerabilities. But having an EV audit become obsolete is not unexpected at all, since we can predict when it will occur. So if we want to turn off EV capability for a CA at some future date, we can simply schedule a change to do that as part of the normal Firefox update cycle. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
