<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri, sans-serif" size="2">
<div>CABF,</div>
<div> </div>
<div><font face="Calibri, sans-serif">At the Gjovik meeting, Tim suggested that I update the “<b>Guidance to Application Developers</b>” doc at <a href="http://www.cabforum.org/Guidelines_for_the_processing_of_EV_certificates%20v1_0.pdf"><font color="#0000FF"><u>http://www.cabforum.org/Guidelines_for_the_processing_of_EV_certificates%20v1_0.pdf</u></font></a>.
I’ve completed a redlined draft, attached.</font></div>
<div><font face="Calibri, sans-serif"> </font></div>
<div><font face="Calibri, sans-serif">Several comments:</font></div>
<ul style="margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt; ">
<li>I changed the word “guidelines” to “requirements” in several places, for these reasons:</li></ul>
<ul style="margin-top: 0pt; margin-bottom: 0pt; margin-left: 72pt; ">
<li>The document had a mix of both words; it already said “requirements” in many places</li><li>It’s been over five years since we started issuing EV certs; that should be enough time for all browsers and other clients to comply</li></ul>
<ul style="margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt; ">
<li>I updated/added text as needed to fill out what I believe to be the checks needed in order to grant “the EV treatment” (note that these were based on what I recall from working with folks at Microsoft; I don’t know if all browsers do these):</li></ul>
<ul style="margin-top: 0pt; margin-bottom: 0pt; margin-left: 72pt; ">
<li>Successful PKIX path validation, including policy extension checks (RFC 5280)</li><li>All certs in the chain are valid (also mandated by RFC 5280)</li><li>EV OID associated with the CSP is found in the EV certificate</li></ul>
<ul style="margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt; ">
<li>Limited the document to EV SSL, not EV Code Signing</li></ul>
<div> </div>
<div>I’d like to hear comments before I try to get this accepted by a ballot. Thanks,</div>
<div> </div>
<div>-Rick</div>
<div> </div>
<div> </div>
<div> </div>
</font>
</body>
</html>