<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
DigiCert supports this, and not because we expect the browsers to
use the information. Requiring these OIDs would be invaluable in
our own research on BR compliance and the use of OV/DV/IV.
Examination of certificates does not clearly indicate how the
certificate was validated since companies like Amazon.com might be
validated as OV/DV. Similar problems arise distinguishing between IV
and OV certs. Requiring the OIDs corresponding the appropriate
validation will greatly improve evaluation of these certificates.<br>
<br>
There doesn't need to be an OID per revision. Section 11 rarely
changes. You can get a very good approximation of use based on the
notBefore date. Besides, even if there are revisions to these
sections, the principles behind them are the same. DV requires a
verification of domain ownership. OV adds a record check for the
authorization of the requester and authenticity of the subject. IV
requires a photo ID or similar mechanism. The language may change,
but the process has essentially stayed the same since adoption.<br>
<br>
Jeremy<br>
<br>
<div class="moz-cite-prefix">On 10/2/2014 6:55 PM, Ryan Sleevi
wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvZNyLZ9afAT_kVD_SnMJFPaj+i40194O5DL27RUm6KJfQ@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct 2, 2014 at 5:31 PM, Dean
Coclin <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Thanks
for the response and pointers. I’ve read through
the threads but still have additional
questions/comments. I’ll readily admit that I
don’t understand all the commentary in the Mozilla
threads so I apologize if these questions sound
somewhat naïve. Happy to be educated:</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal">You've heard repeatedly from
several browsers about an explicit non-goal of
distinguishing DV and OV. As the Forum is comprised
of CAs and Browsers, do we have any Browsers that
wish to make such a distinction? If not, it would be
wholly inappropriate for the Forum to require it.</p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">>>I
haven’t heard of any browsers that want to make
that distinction (yet). It is my understanding
that the Forum BRs do require an OID for EV certs.
So why is it “inappropriate” for the Forum to
require OIDs for DV/OV?</span></p>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Browsers have agreed to make a distinction between EV
and !EV, so have required there be a way to detect that.</div>
<div>Browsers have not agreed that there is a distinction
between DV or OV, nor is there a need to detect the
difference.</div>
<div><br>
</div>
<div>That the browsers have required (effectively all stores
at this point, AFAIK) is that the root program members be
BR compliant. So any new certs issued (technically,
independent of the notBefore, and we know CAs regularly
backdate from time of issuance, but it's a rough
heuristic) are, by definition, BR compliant.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">
</span></p>
<span class="">
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal">If there are non-browser
relying parties interested in such distinctions,
the CA can always provide such distinctions
themselves.</p>
</span>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">>>Can
you elaborate on what you mean by this? If there’s
another way to accomplish the end result, happy to
explore further. But it would have to be uniform
among all CAs that issue these certs.</span></p>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>I don't see why it needs to be uniform.</div>
<div><br>
The requirement as to what shape it takes is dictated by
the relying party applications.</div>
<div>The browsers, as relying party applications, do not and
have not yet cared about the shape of DV and OV, and as
per our recent F2F, aren't really keen to either.</div>
<div><br>
</div>
<div>So having the browsers dictate the shape of the
solution seems unnecessary, and an issue for these relying
party applications (e.g. Netcraft) to work with CAs.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"></span></p>
<span class="">
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal">As someone very keen on
programatic checks and detection for misissuance,
there's no question that this would NOT
meaningfully help address the concerns we see.</p>
</span>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">>>I
wasn’t suggesting that this addition would in any
way help you with your programmatic checks for
mis-issuance. Rather, it would make the task for
organizations like Netcraft, EFF or others that
tabulate statistics on various types of
certificates easier to do. Is that not the case?</span></p>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Not really. These organizations are interested in the
same discussions and distinctions we are - what are the
certificates being issued and do they conform to the
policies that they're supposed to.</div>
<div><br>
</div>
<div>We've established that there's no 'uniform' definition
of what constitutes OV, only that the BR requires certain
vetting steps for certain subject fields that are
OPTIONAL. CAs have taken these and marketed them as OV,
but there's no such distinction as a level, nor a
particular profile spelled out in the appendices as to
what constitutes a "DV" vs "OV".</div>
<div><br>
</div>
<div>If that was the only degree of distinction required,
it's just as easy as checking the Subject fields for any
of the OPTIONAL fields.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"></span></p>
<span class="">
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal">That is, there would need to be
an OID _per revision_ of the BRs, to indicate
"which" version of the BRs something was complying
to. </p>
</span>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">>>Fully
admit that I don’t understand how this works. But
wouldn’t that also be the case for EV (which
currently requires this OID)?</span></p>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>YES! And it's one of the many reasons why EV is
somewhat muddled for programatic checks or distinctions.
And yet this is also necessary because any change in
policy, by definition, necessitates a change in OID to
(meaningfully) reflect that. And that constitutes rolling
a new hierarchy (and updating browsers' lists of
recognized EV OIDs)</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"></span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I’m
just trying to suggest a way that someone can
say: X is a DV cert, Y is an OV cert, Z is an EV
cert without a doubt. If OIDs are not the place to
do that, is there another mechanism available?<br>
I’m sure you are familiar with Ryan Hurst’s blog
on how difficult the task currently is.</span></p>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>I am (you're talking about <a moz-do-not-send="true"
href="http://unmitigatedrisk.com/?p=203">http://unmitigatedrisk.com/?p=203</a>
in particular). But I'm also not supportive of encouraging
a distinction that we neither recognize nor have plans to
recognize, and especially not supportive of mandating such
distinctions.</div>
<div><br>
</div>
<div>This is especially true, as these distinctions don't
offer any tangible security benefits to the Web, as
previously discussed.</div>
<div><br>
</div>
<div>If we go to the point of mandating anything additional
in certificates, which requires a variety of changes in
processes, profiles, and CPSes, I want it to have
meaningful security value. This change - which, as has
been shown by the development of audit standards and then
the eventual incorporation of those audit standards into
the root programs, and then FINALLY the <b>enforcement</b> of
those audit standards of the root programs - would take
several years, at BEST, to deploy, and would communicate
nothing of actionable value. It's a hard sell.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"></span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><br>
Thanks,<br>
Dean</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><b><span
style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span
style="font-size:10pt;font-family:Tahoma,sans-serif"> <a
moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@cabforum.org</a>
[mailto:<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ryan Sleevi<br>
<b>Sent:</b> Thursday, October 02, 2014 3:37 PM<br>
<b>To:</b> Dean Coclin<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:public@cabforum.org"
target="_blank">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] OIDs for DV and OV</span></p>
<div>
<div class="h5">
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On Thu, Oct 2, 2014 at
10:33 AM, Dean Coclin <<a
moz-do-not-send="true"
href="mailto:Dean_Coclin@symantec.com"
target="_blank">Dean_Coclin@symantec.com</a>>
wrote:</p>
<div>
<div>
<p class="MsoNormal">Further to today’s
discussion on our call, I’d like to
get more feedback on a proposal to
make a unique standardized OID
mandatory for DV and OV certificates
in the Baseline Requirements.
Currently we have a mandatory OID for
EV certificates but optional for OV
and DV. This makes things difficult
for at least two groups of
constituents:</p>
<p class="MsoNormal"> </p>
<p>1.<span style="font-size:7pt">
</span>Relying parties that would like
to distinguish between these
certificates</p>
</div>
</div>
<div>
<p class="MsoNormal">You've heard
repeatedly from several browsers about
an explicit non-goal of distinguishing
DV and OV. As the Forum is comprised of
CAs and Browsers, do we have have any
Browsers that wish to make such a
distinction?</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">If not, it would be
wholly inappropriate for the Forum to
require it. If there are non-browser
relying parties interested in such
distinctions, the CA can always provide
such distinctions themselves.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-style:none none
none
solid;border-left-color:rgb(204,204,204);border-left-width:1pt;padding:0in
0in 0in
6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p>2.<span style="font-size:7pt">
</span>Analysts that report on SSL
certificate data who have had to
issue revised reports because of
cert misclassification</p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal">As mentioned on the
call, this has been discussed with
Mozilla in the past - <a
moz-do-not-send="true"
href="https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/hEOQK-ubGRcJ"
target="_blank">https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/hEOQK-ubGRcJ</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">As someone very keen
on programatic checks and detection for
misissuance, there's no question that
this would NOT meaningfully help address
the concerns we see.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">That is, there would
need to be an OID _per revision_ of the
BRs, to indicate "which" version of the
BRs something was complying to. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I would hope that <a
moz-do-not-send="true"
href="https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/2tRUS444krwJ"
target="_blank">https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/2tRUS444krwJ</a>
would capture some of these concerns
more fully.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Finally, to do
anything meaningful with this in all
major clients, it would require that CAs
redo their certificate hierarchy, as
policy OIDs are inherited. That's a
silly thing, especially when CAs are
still struggling to migrate from SHA-1
to SHA-256 in their intermediates.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-style:none none
none
solid;border-left-color:rgb(204,204,204);border-left-width:1pt;padding:0in
0in 0in
6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">My proposal is
for CAs to put in OID X if it’s a DV
certificate and OID Y if it’s an OV
certificate.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">As Rick reminded
me on the call, we currently have
something like this for EV
certificates (except that CAs are
free to use the standard OID or
define one of their own).</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I’d like to hear
pros/cons of this. Ryan S indicated
that Google would not support such a
proposal but we didn’t have time to
discuss the reasons.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I’m sure there
are both technical and policy
reasons. Personally I’d like to
focus on the latter but remarks on
both are welcome. This proposal
doesn’t require anyone to do
anything with this data (i.e relying
parties can choose whether or not to
utilize it).</p>
<p class="MsoNormal"><br>
Thanks,<br>
Dean</p>
<p> </p>
<p> </p>
<p class="MsoNormal"> </p>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12pt"><br>
_______________________________________________<br>
Public mailing list<br>
<a moz-do-not-send="true"
href="mailto:Public@cabforum.org"
target="_blank">Public@cabforum.org</a><br>
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank">https://cabforum.org/mailman/listinfo/public</a></p>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>