[cabfpub] Meta-Issues for EV App Dev Guidelines document (Meta Issue 2)

Rick Andrews Rick_Andrews at symantec.com
Wed Dec 12 01:05:31 UTC 2012 

As suggested on the last call, I've handled a lot of the minor issues in this doc and grouped the remaining ones into meta-issues (five of them). I'll send out emails periodically to have discussion on each. This is the second.

The issues list and the doc itself can be found on the wiki at https://www.cabforum.org/wiki/89%20-%20Adopt%20Guidelines%20for%20the%20Processing%20of%20EV%20SSL%20Certificates%20v.2

NOTE that I especially need input from browser vendors. This is your document.

Meta-Issue #2

The problem text is this:
"Certificates for which confirmation (read: revocation status) cannot be obtained...should not be treated as trusted certificates."

Brian Smith points out that this mandates hard-fail. I agree, but think that might be appropriate for EV certs. I also realize that mandating hard-fail is a non-starter for many, but without this sentence, we're saying that if you can't get revocation status for an EV cert, it's acceptable to drop it down to an ordinary trusted cert. I strongly disagree with that. EV should stand for something more than just slower vetting.

Brian said "Practically speaking, I think it would be bad for us to support standards/recommendations/guidelines that, if we implemented them, would result in us failing to load websites more frequently than other browsers do and/or if it means we would not be able to be as fast as browsers that do not implement the standards/recommendations/guidelines." But if all browsers agree to do this, then none will be at a disadvantage compared to the others. I think that browsers should be free to innovate and compete on features, but should be held to the same security standards.

Brian also feels that the CAB Forum is the wrong place to come to agreement on this. He said "it seems much better for us to use the well-established W3C and IETF IPR rules rather than spending time on IPR rules for CABForum technical specifications." I strongly disagree - CAB Forum has the right participants in it, can move more quickly than standards bodies, and CAB Forum created EV in the first place.

I welcome your comments.

-Rick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121211/5f8c441d/attachment-0003.html>

More information about the Public mailing list