[cabfpub] Revised document for Ballot 89 - Adopt Requirements for the Processing of EV SSL Certificates v.2

Gervase Markham gerv at mozilla.org
Mon Oct 15 09:41:12 UTC 2012


On 13/10/12 01:32, Rick Andrews wrote:
> -The DV cert will conform to Baseline Requirements (minimum key size,
> strong signing and hashing algorithm, acceptable validity period, proper
> extensions)

Although one might note that these are all things that a browser could 
check about a cert for itself. This raises a good point - if a browser 
starts accepting (in some way) this form of cert delivery, we may want 
to impose BR or BR-like minimum requirements on the certs we do accept.

> -The DV cert would be very likely to have undergone automated checks for
> weak keys, weak exponents, not on Debian weak key list, not on internal
> phish lists, etc.)

Although such checks could be performed by any third party using 
something like the SSL Observatory. Yngve is right - some of this sort 
of check can't be done by the browsers.

> -The DV cert would contain AIA and/or CDP extensions, so if the CA
> detects that the site is fraudulent, it can revoke the cert.

Are CAs (or is Symantec) now taking the position that they revoke certs 
which contain correct identity information but are being used on sites 
which engage in illegal activity? What definition of "illegal" are you 
using?

Gerv



More information about the Public mailing list