Update Mozilla CA certificate policy to address EV certificates

RESOLVED FIXED

Status

task
RESOLVED FIXED
12 years ago
2 years ago

People

(Reporter: hecker, Assigned: hecker)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 3 obsolete attachments)

Assignee

Description

12 years ago
As noted by Eddy Nigg in his comments on bug 398944 and bug 383183 and by others, the current Mozilla CA certificate policy version 1.0

http://www.mozilla.org/projects/security/certs/policy/

does not address the issue of Extended Validation certificates (EV certificates). This bug is intended to track progress on updating the policy (e.g., to a 1.1 version) to add additional criteria for marking a root CA as capable of issuing EV certificates under the root CA's hierarchy.

Note that root CAs from which EV certificates are issued (either directly or through subordinate CAs) are simply a special case of normal root CAs. So the normal requirements of the CA certificate policy, including being relevant to typical users, etc., would still apply. From my point of view the best way to approach the problem is therefore to add some additional EV-related criteria to the current policy, either in the main body of the policy or as an addendum.

I'll also post to the mozilla.dev.tech.crypto newsgroup on this topic.


process for evaluating


 Various parts such as section 7 have to be expanded
and defined clearly before EV certificates shall be treated any different then
section 7 suggests. What are the accepted minimum requirements to have an EV
certificate marked as such in the browser? What is the criteria to have a CA
root marked as EV worthy? There might be other sections of the Mozilla policy
which might require adjustments as well.
Assignee

Comment 1

12 years ago
Oops: Disregard the last paragraph of the previous comment; I inadvertently pasted in part of Eddy Nigg's comments from another bug.
Assignee

Comment 2

12 years ago
After thinking about it, I think it may be possible to address EV certificates just by adding a final paragraph to section 6 of the current policy. See the attached patch to the HTML version of the policy as published on www.mozilla.org.

Note that since this would be a substantive change to the policy (as opposed to a simple typographical or technical correction) the patch updates the policy version number to 1.1.
Assignee

Comment 3

12 years ago
Based on comments from Eddy Nigg in m.d.t.crypto I've decided to modify the draft patch. See my post of 2007/11/06 in that newsgroup.
Attachment #284644 - Attachment is obsolete: true
Assignee

Updated

12 years ago
Blocks: 402947
Assignee

Comment 4

12 years ago
Based on more comments from Eddy Nigg in m.d.t.crypto, I've decided to reference the WebTrust EV audit criteria in section 8 of the policy, with the language chosen so as to make it clear that these criteria don't stand alone but are to be used in conjunction with the traditional WebTrust for CAs criteria.
Attachment #287621 - Attachment is obsolete: true
Assignee

Comment 5

12 years ago
I've added an item to section 14 (per Eddy Nigg's suggestion) to request EV information from CAs as part of their requests for inclusion. I've also made some nonsubstantive changes for grammar and to add cite tags to document references. For a copy of the resulting full policy after the proposed patch, see http://hecker.org/private/index-ev4
Attachment #287792 - Attachment is obsolete: true
Assignee

Comment 6

12 years ago
Created the final 1.1 policy using the patch referenced above, and published it at

  http://www.mozilla.org/projects/security/certs/policy/

Resolving this bug as fixed.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Updated

2 years ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.