Security:EV: Difference between revisions

Introduction

The goal of this document is, to assist current discussions about Extended Validation (EV) SSL certificates as proposed by the CA/Browser forum. Here we try to collect, structure and organize various aspects, arguments and solutions concerning the proposed guidelines and what this means for Mozilla at large and the Firefox Browser in particular.

Discussions are held mostly at the Mozilla Dev-Security mailing list. Before editing this page it is suggested to use the talk/discussion page and propose the addition/change.

Arguments

Many arguments have been made and discussed in favor or against supporting EV by Mozilla in some form. This section should be a summary of them. More detailed argumentation and explanation can be made at additional pages. Please extend the list below:

Pro

• The EV guidelines removes proprietary procedures by current certification authorities and provides a unified standard.
• The EV guidelines proposes higher validation of the organization and subscriber of the certificate.

Contra

• The CA/Browser forum is mainly an interest group of commercial certification authorities.
• The EV guidelines can be diluted and changed over time, making them less effective.
• Audit procedures of the CAs can currently only be performed by four audit firms authorized by Webtrust, no real alternatives exist as in the Mozilla CA policy (Section 8 - 10).
• EV suggested to be ineffective against phishing (Source).

Proposals and Suggestions

Current Status

Currently EV certificates are not handled differently than other SSL certificates.

Eddyn 15:19, 12 February 2007 (PST)