Closed
Bug 413545
Opened 17 years ago
Closed 17 years ago
Update Mozilla CA certificate policy for interim use of draft EV guidelines
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: hecker, Assigned: hecker)
References
()
Details
Attachments
(1 file)
2.43 KB,
patch
|
Details | Diff | Splinter Review |
When we updated the Mozilla CA certificate policy to accomodate requests related to Extended Validation (EV) certificates, we specified use of the 1.0 EV guidelines from the CAB Forum and the 1.0 EV criteria from WebTrust. As it happens, because of the relatively recent adoption of the final EV guidelines and criteria and typical CA audit schedules, all (or almost all) of the EV-related CA requests we've gotten were associated with WebTrust EV audits against the draft guidelines. However the changes introduced between the draft and final versions don't appear to be significant in terms of end user security. My proposal is therefore to accept all valid WebTrust EV audits, whether against the draft or final criteria/guidelines, for all CA EV applications submitted before a certain date. To allow for any additional applications that come in, that date would be at some point in the future, perhaps June 30 2008; after that we'd revert the policy to specify the final criteria and guidelines only, to emphasize that the drafts are obsolete and deprecated.
Assignee | ||
Comment 1•17 years ago
|
||
Attached a proposed patch for the Mozilla CA certificate policy to designate draft versions of the EV guidelines and WebTrust EV criteria as acceptable during a transition period.
Comment 2•17 years ago
|
||
This sounds reasonable to me. I was going to ask if we planned to remove the language about Draft 11 after some suitable period of time (e.g. when all audits against draft 11 would have expired) but given that you have a date limit on entries being draft-11-grandfathered, I don't know if it's really necessary after all.
Comment 3•17 years ago
|
||
Agreed. Another update just to remove the draft declaration might be superfluous.
Comment 4•17 years ago
|
||
This seems fine to me. The 1.0 guidelines were released on 7th June 2007; instead of specifying a grandfather limit for applications, might it make more sense to disallow EV audits under draft 11 where the audit period commenced after 30th June 2007? Gerv
Assignee | ||
Comment 5•17 years ago
|
||
(In reply to comment #4) > The 1.0 guidelines were released on 7th June 2007; instead of specifying a > grandfather limit for applications, might it make more sense to disallow EV > audits under draft 11 where the audit period commenced after 30th June 2007? I thought about doing this. However it is difficult to ascertain from public documents when an audit period began for a particular CA -- the typical report has the date the auditors signed off on the audit, but not the beginning date of the audit. We would have to ask each CA individually, and then they might have in turn to ask the auditors. That's why I prefer the alternative approach of just accepting all WebTrust EV audits (whether against draft or final criteria) until a date when we can be reasonably certain that all audits submitted will be against the final criteria.
Assignee | ||
Comment 6•17 years ago
|
||
If there are no further comments, I'm going to go ahead and make this policy change. The overall thrust of the change seems to be non-controversial.
Assignee | ||
Comment 7•17 years ago
|
||
Revision 1.2 is now published. I'm resolving this bug as FIXED.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•