- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Mon, 13 Aug 2007 15:48:20 +0100
- To: michael.mccormick@wellsfargo.com, public-wsc-wg@w3.org, Pete.Palmer@wellsfargo.com, peltond@wellsfargo.com, Peri.Drucker@wellsfargo.com
Hi Thomas, Thomas Roessler wrote: > There needs to be some definition of what "the kind of certificate > that triggers EV-like behavior" actually is, and that's what I think > is in scope. Preferably, that definition isn't more than two or > three sentences, with a reference or two. > > I don't really care what label we stick to these things, and I was > not suggesting that we start writing up certification practices. I'm a bit confused here. Isn't it a requirement for EV-like behaviour that the root-cert/trust-anchor is the thing that is marked? Otherwise, any old CA could insert the OID without having signed up to anything. Or, is there a presumption that there'll be a root-police that'd catch and react to such (probably bogus) assertions? If I'm right, that means that essentially the EV-like flag is set when the TA is installed (which may be via some putative TA protocol, or more likely for now, via browser s/w update). In that case, there's no need for an X.509 OID. If I'm wrong (always likely:-), then maybe someone could explain how EV-certs differ from the old server-gated crypto tricks browsers used do. Without having delved into CAB forum docs. they seem more or less the same to me from this perspective. S.
Received on Monday, 13 August 2007 14:51:08 UTC