[cabfpub] Meta-Issues for EV App Dev Guidelines document (Meta Issue 1)

Ryan Sleevi sleevi at google.com
Thu Dec 6 19:56:48 MST 2012 

On Thu, Dec 6, 2012 at 5:11 PM, Rick Andrews <Rick_Andrews at symantec.com>wrote:

>  As suggested on the call today, I’ve handled a lot of the minor issues
> in this doc and grouped the remaining ones into meta-issues (five of them).
> I’ll send out emails periodically to have discussion on each. This is the
> first.
>
> The issues list and the doc itself can be found on the wiki at *
> https://www.cabforum.org/wiki/89%20-%20Adopt%20Guidelines%20for%20the%20Processing%20of%20EV%20SSL%20Certificates%20v.2
> *<https://www.cabforum.org/wiki/89%20-%20Adopt%20Guidelines%20for%20the%20Processing%20of%20EV%20SSL%20Certificates%20v.2>
>
> NOTE that I especially need input from browser vendors. This is your
> document.
>
> Meta-Issue #1
>
> The problem text is this:
> Section 10: “…the effective key strength of symmetric algorithms must be
> at least 128 bits…”
> Section 13: “The application should follow HTTP redirects and
> cache-refresh directives. Response time-out should not be less than three
> seconds”
>
> For EV certs, do browsers more strictly check DHE key sizes and policy
> OIDs in intermediate certificates?
>
> Also, Yngve suggested "Perhaps it needs to be made clear that the policy
> identifier (EV-OID) does not match if the non-root issuing CA
> certificate(s) of the chain does not contain either the EV-OID itself, or
> the any-policy OID?" What do other browser vendors think? Do you do any
> such checks today?
>
> For EV certs, do browsers specifically follow HTTP redirects and comply
> with cache directives? I would only add these items if there is consensus
> to do so among the browser vendors.
>
> -Rick
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
Note: Yngve also proposed (in Item 13) that that cookies not be sent or
accepted when retrieving revocation information.

This is true for Windows CryptNet/CryptoAPI and for Google Chrome on
(Linux, iOS, ChromeOS, Windows). I believe this is also true for OS
X/Safari.

I support language directing clients not to include cookies, on the basis
of both performance and user privacy, but if it doesn't make this revision,
that's far from a deal breaker. It's still good guidance for application
developers in general - not just EV.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20121206/acefff09/attachment-0001.html

More information about the Public mailing list