[cabfpub] Meta-Issues for EV App Dev Guidelines document (Meta Issue 1)

Rick Andrews Rick_Andrews at symantec.com
Fri Dec 7 01:11:32 UTC 2012


As suggested on the call today, I've handled a lot of the minor issues in this doc and grouped the remaining ones into meta-issues (five of them). I'll send out emails periodically to have discussion on each. This is the first.

The issues list and the doc itself can be found on the wiki at https://www.cabforum.org/wiki/89%20-%20Adopt%20Guidelines%20for%20the%20Processing%20of%20EV%20SSL%20Certificates%20v.2

NOTE that I especially need input from browser vendors. This is your document.

Meta-Issue #1

The problem text is this:
Section 10: "...the effective key strength of symmetric algorithms must be at least 128 bits..."
Section 13: "The application should follow HTTP redirects and cache-refresh directives. Response time-out should not be less than three seconds"

For EV certs, do browsers more strictly check DHE key sizes and policy OIDs in intermediate certificates?

Also, Yngve suggested "Perhaps it needs to be made clear that the policy identifier (EV-OID) does not match if the non-root issuing CA certificate(s) of the chain does not contain either the EV-OID itself, or the any-policy OID?" What do other browser vendors think? Do you do any such checks today?

For EV certs, do browsers specifically follow HTTP redirects and comply with cache directives? I would only add these items if there is consensus to do so among the browser vendors.

-Rick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121206/6bc6b059/attachment-0003.html>


More information about the Public mailing list