[cabfpub] Meta-Issues for EV App Dev Guidelines document (Meta Issue 3)

[Rick Andrews]

As suggested on an earlier call, I've handled a lot of the minor issues in this doc and grouped the remaining ones into meta-issues (five of them). I'll send out emails periodically to have discussion on each. This is the second.

The issues list and the doc itself can be found on the wiki at https://www.cabforum.org/wiki/89%20-%20Adopt%20Guidelines%20for%20the%20Processing%20of%20EV%20SSL%20Certificates%20v.2

NOTE that I especially need input from browser vendors. This is your document.


Meta-Issue #3: The document currently states: "Certificates for which confirmation cannot be obtained should not be granted the EV treatment"

Brian Smith raised concerns about offline behavior (he wants Firefox to show the EV Treatment in that case). Rick stated that this applies whenever a full SSL handshake is performed. Since no SSL is done in offline mode, the browser should rely on cached info. If it has cached the certificate and an OCSP response, then it should be able to display the EV Treatment.

Brian also raised concerns about the EV indicator switching on and off and confusing users. Rick agrees that it might be confusing, but asked what should happen if a later OCSP fetch failed because an attacker was in the middle or had otherwise changed the certificate to a different one?


I welcome your comments.

-Rick


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130122/2e9267a9/attachment-0003.html>