[cabfpub] Revised document for Ballot 89 - Adopt Requirements for the Processing of EV SSL Certificates v.2
Gervase Markham
gerv at mozilla.org
Mon Oct 15 09:41:12 UTC 2012
On 13/10/12 01:32, Rick Andrews wrote:
> -The DV cert will conform to Baseline Requirements (minimum key size,
> strong signing and hashing algorithm, acceptable validity period, proper
> extensions)
Although one might note that these are all things that a browser could
check about a cert for itself. This raises a good point - if a browser
starts accepting (in some way) this form of cert delivery, we may want
to impose BR or BR-like minimum requirements on the certs we do accept.
> -The DV cert would be very likely to have undergone automated checks for
> weak keys, weak exponents, not on Debian weak key list, not on internal
> phish lists, etc.)
Although such checks could be performed by any third party using
something like the SSL Observatory. Yngve is right - some of this sort
of check can't be done by the browsers.
> -The DV cert would contain AIA and/or CDP extensions, so if the CA
> detects that the site is fraudulent, it can revoke the cert.
Are CAs (or is Symantec) now taking the position that they revoke certs
which contain correct identity information but are being used on sites
which engage in illegal activity? What definition of "illegal" are you
using?
Gerv
More information about the Public
mailing list