Closed Bug 413545 Opened 17 years ago Closed 17 years ago

Update Mozilla CA certificate policy for interim use of draft EV guidelines

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hecker, Assigned: hecker)

References

(
URL
)

Details

Attachments

(1 file)

Proposed 1.2 revision to Mozilla CA certificate policy
2.43 KB, patch
Details | Diff | Splinter Review 
When we updated the Mozilla CA certificate policy to accomodate requests related to Extended Validation (EV) certificates, we specified use of the 1.0 EV guidelines from the CAB Forum and the 1.0 EV criteria from WebTrust. As it happens, because of the relatively recent adoption of the final EV guidelines and criteria and typical CA audit schedules, all (or almost all) of the EV-related CA requests we've gotten were associated with WebTrust EV audits against the draft guidelines. However the changes introduced between the draft and final versions don't appear to be significant in terms of end user security. 

My proposal is therefore to accept all valid WebTrust EV audits, whether against the draft or final criteria/guidelines, for all CA EV applications submitted before a certain date. To allow for any additional applications that come in, that date would be at some point in the future, perhaps June 30 2008; after that we'd revert the policy to specify the final criteria and guidelines only, to emphasize that the drafts are obsolete and deprecated.
Attached a proposed patch for the Mozilla CA certificate policy to designate draft versions of the EV guidelines and WebTrust EV criteria as acceptable during a transition period.
This sounds reasonable to me.  I was going to ask if we planned to remove the language about Draft 11 after some suitable period of time (e.g. when all audits against draft 11 would have expired) but given that you have a date limit on entries being draft-11-grandfathered, I don't know if it's really necessary after all. 
Agreed. Another update just to remove the draft declaration might be superfluous.
This seems fine to me. 

The 1.0 guidelines were released on 7th June 2007; instead of specifying a grandfather limit for applications, might it make more sense to disallow EV audits under draft 11 where the audit period commenced after 30th June 2007?

Gerv

(In reply to comment #4)
> The 1.0 guidelines were released on 7th June 2007; instead of specifying a
> grandfather limit for applications, might it make more sense to disallow EV
> audits under draft 11 where the audit period commenced after 30th June 2007?

I thought about doing this. However it is difficult to ascertain from public documents when an audit period began for a particular CA -- the typical report has the date the auditors signed off on the audit, but not the beginning date of the audit. We would have to ask each CA individually, and then they might have in turn to ask the auditors. That's why I prefer the alternative approach of just accepting all WebTrust EV audits (whether against draft or final criteria) until a date when we can be reasonably certain that all audits submitted will be against the final criteria.

If there are no further comments, I'm going to go ahead and make this policy change. The overall thrust of the change seems to be non-controversial.
Revision 1.2 is now published. I'm resolving this bug as FIXED.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: