Security:EV

From MozillaWiki
Revision as of 11:57, 15 February 2007 by Eddyn (talk | contribs) (→‎Contra)
Jump to navigation Jump to search

Introduction

The goal of this document is, to assist with current discussions about Extended Validation (EV) SSL certificates as proposed by the CA/Browser Forum. Here we try to collect, structure and organize various aspects, arguments and solutions concerning the proposed guidelines and what this means for Mozilla as a whole and Firefox in particular.

Discussions about EV happen mostly in the mozilla.dev.security newsgroup.

Arguments

Many arguments have been made and discussed in favor of or against support of EV by the Mozilla project. This section should be a summary of them. More detailed argumentation and explanation can be made on additional pages. Please extend the list below:

Pro

  • The EV guidelines supercede proprietary validation procedures of unknown strength and provide a unified standard.
  • As far as we are aware, the EV guidelines provide a higher level of validation of the organization than current practices.
  • With appropriate UI, the validated information in EV certificates may be presented to a user to help them be more sure of their location and so reduce phishing (pending a proposal by the UI team)

Contra

  • The CA/Browser forum, which maintains the standard, is not accessible to all the CAs in the Mozilla root certificate store, because of the requirement for a Webtrust audit.
  • While the Mozilla project has one vote in the Forum, we cannot control for certain how the EV guidelines may change in the future.
  • Higher level of validation of the organization, similar to the proposed EV standard, exist and are offered already today by most CAs. It's the subscribers which makes the decision about which level of verification to perform. Therefore EV doesn't provide anything which isn't available today.
  • It has been suggested[1] that some UI presentations of EV are ineffective against phishing.
  • The standard has been criticized for a very high barrier to entry for middle and smaller sized CAs, without providing any benefits to relying parties because of low or non-existent liability[2].

Proposals and Suggestions

Current Status

Currently (in Firefox 2.0 and on the trunk) EV certificates have no distinguishing UI.

Retrieved from "https://wiki.allizom.org/index.php?title=Security:EV&oldid=49160"