Closed Bug 399214 Opened 13 years ago Closed 13 years ago

Update Mozilla CA certificate policy to address EV certificates

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: hecker, Assigned: hecker)

References

Details

Attachments

(1 file, 3 obsolete files)

As noted by Eddy Nigg in his comments on bug 398944 and bug 383183 and by others, the current Mozilla CA certificate policy version 1.0

http://www.mozilla.org/projects/security/certs/policy/

does not address the issue of Extended Validation certificates (EV certificates). This bug is intended to track progress on updating the policy (e.g., to a 1.1 version) to add additional criteria for marking a root CA as capable of issuing EV certificates under the root CA's hierarchy.

Note that root CAs from which EV certificates are issued (either directly or through subordinate CAs) are simply a special case of normal root CAs. So the normal requirements of the CA certificate policy, including being relevant to typical users, etc., would still apply. From my point of view the best way to approach the problem is therefore to add some additional EV-related criteria to the current policy, either in the main body of the policy or as an addendum.

I'll also post to the mozilla.dev.tech.crypto newsgroup on this topic.


process for evaluating


 Various parts such as section 7 have to be expanded
and defined clearly before EV certificates shall be treated any different then
section 7 suggests. What are the accepted minimum requirements to have an EV
certificate marked as such in the browser? What is the criteria to have a CA
root marked as EV worthy? There might be other sections of the Mozilla policy
which might require adjustments as well.
Oops: Disregard the last paragraph of the previous comment; I inadvertently pasted in part of Eddy Nigg's comments from another bug.
After thinking about it, I think it may be possible to address EV certificates just by adding a final paragraph to section 6 of the current policy. See the attached patch to the HTML version of the policy as published on www.mozilla.org.

Note that since this would be a substantive change to the policy (as opposed to a simple typographical or technical correction) the patch updates the policy version number to 1.1.
Based on comments from Eddy Nigg in m.d.t.crypto I've decided to modify the draft patch. See my post of 2007/11/06 in that newsgroup.
Attachment #284644 - Attachment is obsolete: true
Blocks: 402947
Based on more comments from Eddy Nigg in m.d.t.crypto, I've decided to reference the WebTrust EV audit criteria in section 8 of the policy, with the language chosen so as to make it clear that these criteria don't stand alone but are to be used in conjunction with the traditional WebTrust for CAs criteria.
Attachment #287621 - Attachment is obsolete: true
I've added an item to section 14 (per Eddy Nigg's suggestion) to request EV information from CAs as part of their requests for inclusion. I've also made some nonsubstantive changes for grammar and to add cite tags to document references. For a copy of the resulting full policy after the proposed patch, see http://hecker.org/private/index-ev4
Attachment #287792 - Attachment is obsolete: true
Created the final 1.1 policy using the patch referenced above, and published it at

  http://www.mozilla.org/projects/security/certs/policy/

Resolving this bug as fixed.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.