[cabfpub] [cabfman] FW: Ballot [89] - Adopt Guidelines for the Processing of EV SSL Certificates v.2

Ryan Sleevi sleevi at google.com
Tue Oct 16 22:49:29 UTC 2012


On Tue, Oct 16, 2012 at 2:37 PM, Rick Andrews <Rick_Andrews at symantec.com>wrote:

> OK, two more changes here:****
>
> **1)      **Backed out of the statement that the SSL cert shouldn’t be
> trusted if it doesn’t chain up to a trusted root (dropping the DANE hot
> potato for the moment)****
>
> **2)      **Dropped mention of the BR; the only place it was mentioned
> was to refer to audit details. I changed it to say refer to Section 17 of
> [EVSSL].
>
Thanks Rick. I think these changes look good to me.

****
>
> ** **
>
> Would there be value in adding a section documenting the complete set of
> EV roots along with the EV OIDs associated with them? I think that this
> document is the right place for that info.
>

I'm not sure there is particular value here. According to the very
recommendations in this document (Section 6.1), individual application
developers should be responsibly ensuring that CAs are meeting the audit
requirements on a timely basis. Further, every root program effectively
goes above-and-beyond the audit requirements, even if it's simply a
rubber-stamp process (for example, the execution of agreements as shown by
Microsoft and Opera's root programs and as captured in Section 7.2)

As such, the only value a list would provide is providing a
point-of-contact for an application developer to proactively request every
CA submit their details to the developer. Which seems to be what Section
7.1 provides, and in keeping the burden on the CAs.

Plus, since annual audits are necessary, the list (may) change over time.
Maintaining addendum for that seems unnecessary.

For what it's worth, the relevant whose-who of EV-enabled certificates that
I have on-hand:
 - For Apple: Available at opensource.apple.com as part of the
security_certificates package. For 10.8.2, the direct link is
http://opensource.apple.com/source/security_certificates/security_certificates-55024.2/evroot.config
 - For Firefox: Main link is
http://www.mozilla.org/projects/security/certs/included/ (which includes
link to audit spreadsheet), and in source this is embodied in
http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsIdentityChecking.cpp
 - For Chromium:
http://src.chromium.org/viewvc/chrome/trunk/src/net/base/ev_root_ca_metadata.cc?view=markup
 - For Opera: Yngve blogs details at http://my.opera.com/rootstore/blog/ ,
but the raw store can be accessed at https://certs.opera.com/ (see
02/ev-oids.xml and 03/ev-oids.xml)
 - For Microsoft: Tom can likely provide a better direct URL, but
http://social.technet.microsoft.com/wiki/contents/articles/introduction-to-the-microsoft-root-certificate-program.aspx
suggests
http://social.technet.microsoft.com/wiki/contents/articles/2592.aspx as the
link (although it does not list EV enablements, AFAIK)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121016/ca45c31f/attachment-0004.html>


More information about the Public mailing list