[cabfpub] Ballot 89 Again (Publish Recommendations for the Processing of EV SSL Certificates v.2)

[Ben Wilson]

On Monday, November 18, 2013 5:54 AM, Sigbjørn Vik wrote:

 

> Adding an "in order to" clause, stating that relying parties have been
required to work "in order to"

> achieve some particular end result, would be one solution. E.g.
"Historically, CSP's policies and 

> practices varied, and had to be assessed by relying agents in order to be
certain of their suitability 

> for the intended usage."

 

> Replacing "relying parties" with root store managers and application
software providers, would 

> be another solution.

> Removing the sentence would also work. Having some background information
is good though, 

> so I don't recommend removing the paragraph.

 

Here are some suggested redline edits to the current version of the
Conclusion:

 

16.          Conclusion

Not all certificates are equally trustworthy.  Their trustworthiness depends
upon the strength of their cryptographic protection.  But, it also depends
on the policies and practices used in their issuance and management.
Historically, relying parties have been required to assess the suitability
of a CSP's policies and practices for the intended usage (e.g. Section 3.3.5
of ITU X.509 (1997-08) defines Certificate Policy as “A named set of rules
that indicates the applicability of a certificate to a particular community
and/or class of application with common security requirements. For example,
a particular certificate policy might indicate applicability of a type of
certificate to the authentication of electronic data interchange
transactions for the trading of goods within a given price range”).   In
2007 (and with later revisions) public CSPs agreed and browsers
participating in the CA/Browser Forum began to collaborate on to a common
set of policies and practices for CAs that establish a minimum level of
assurance deemed suitable for common Internet purposes, such as eCommerce
and eGovernment.  Achieving the intended level of assurance also requires
proper behavior by the relying application.  Because EV Certificates play an
important role in securing the online ecosystem, we provide these
recommendations to application developers to help them protect users when
visiting EV-protected websites.

 

I don’t care about adding the parenthetical cross-reference to X.509-- which
is more to answer Sigbjørn’s earlier question about what was meant by the
sentence-- but I think the other edits make the paragraph a lot more clear.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131122/0a56374a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131122/0a56374a/attachment-0001.p7s>