RE: ISSUE-97: Should logotypes be tied to EV certificates?[Techniques]

Some illuminating comments below from my colleague in the CAB forum Peri
Drucker.
(Responders please reply-to-all if you want Peri to see your email.
She's not a WSC subscriber.)

-----Original Message-----
From: Drucker, Peri 
Sent: Monday, August 13, 2007 6:30 PM
To: Stephen Farrell; McCormick, Mike; public-wsc-wg@w3.org; Palmer,
Pete; Pelton, Douglas S.
Subject: RE: ISSUE-97: Should logotypes be tied to EV
certificates?[Techniques]

Hi All,
 I will try to give some additional clarification on this.  But caveats
in that I am not a technologist.

The way that EV is supposed to work (comment about the Mozilla plug-in
follows) is that the Root is "marked" as EV in each browser.  That is,
Microsoft is testing and approving each root (and the processes that the
CA uses to issue) that it is including in the IE root store as an EV
root.  The CA will also designate an EV OID that the browser will put
into whatever it puts it into to try to treat the SSL cert as EV (and
then check to see if the root is an accepted Root to complete the
"processing").  The thought is that each browser will pretty much
control how they accept each Root that is claiming to be an EV root.
And then use whatever visual cue they determine to indicate that the
Cert is issued in accord with the EV guidelines. That is, that it is an
WCSSL cert, and not a standard SSL cert.

The Verisign plug-in is pretty well scorned and decried by all the other
CA's in the CAB forum.  It is pretty much a total subversion of how it
is supposed to work.  Mozilla apparently doesn't care all that much on
what happens in a Mozilla plug-in.  In this case, it has the root and
OID (I am guessing) hard coded into the plug in so that when a site has
an EVSSL cert, the URL bar turns green to mimic the IE7 behavior.  Our
understanding is that the Mozilla interface will not actually look like
this, whenever they finally release it.  We all feel that this pretty
much destroys the security concept, but Verisign won't back down on
this.  

I hope that this is helpful.  If you have any specific questions, I will
be happy to find someone who actually knows the answers to get back to
you.

So, to directly respond to the thread below, the browsers are supposed
to be the root police.

Thanks,
Peri

-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
Sent: Monday, August 13, 2007 7:48 AM
To: McCormick, Mike; public-wsc-wg@w3.org; Palmer, Pete; Pelton, Douglas
S.; Drucker, Peri
Subject: Re: ISSUE-97: Should logotypes be tied to EV
certificates?[Techniques]


Hi Thomas,

Thomas Roessler wrote:
> There needs to be some definition of what "the kind of certificate
> that triggers EV-like behavior" actually is, and that's what I think
> is in scope.  Preferably, that definition isn't more than two or
> three sentences, with a reference or two.
> 
> I don't really care what label we stick to these things, and I was
> not suggesting that we start writing up certification practices.

I'm a bit confused here. Isn't it a requirement for EV-like
behaviour that the root-cert/trust-anchor is the thing that
is marked? Otherwise, any old CA could insert the OID without
having signed up to anything.

Or, is there a presumption that there'll be a root-police
that'd catch and react to such (probably bogus) assertions?

If I'm right, that means that essentially the EV-like flag
is set when the TA is installed (which may be via some putative
TA protocol, or more likely for now, via browser s/w update).
In that case, there's no need for an X.509 OID.

If I'm wrong (always likely:-), then maybe someone could
explain how EV-certs differ from the old server-gated
crypto tricks browsers used do. Without having delved into
CAB forum docs. they seem more or less the same to me from
this perspective.

S.

Received on Tuesday, 14 August 2007 19:27:17 UTC