RE: ISSUE-26 OPEN "currently deployed security information" from Doyle, Bill on 2007-05-01 (public-wsc-wg@w3.org from May 2007)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Tue, 1 May 2007 09:43:25 -0400
To: "Close, Tyler J." <tyler.close@hp.com>, "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B580171CEC6@IMCSRV5.MITRE.ORG>

The EV cert is a standard X.509 certificate that has specific
extensions as allowed by the X.509 standard. 

I am in favor of referring to standards bodies "Protocols,
infrastructure as defined by standards bodies"
 
CA browser forum has been working ev certificates, IETF is working
PKIX, TLS/SSL, W3C has HTTP... 

Bill D





The primary way to identify an EV certificate is by referencing the
Certificate Policies extension field

-----Original Message-----
From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Close, Tyler J.
Sent: Friday, April 27, 2007 5:23 PM
To: Mary Ellen Zurko; public-wsc-wg@w3.org
Subject: RE: ISSUE-26 OPEN "currently deployed security information" 


Thomas' suggested rewording is:

"""
In section 5.4 ("new security information"), the note stipulates that
"Recommendations will only be made for the presentation of currently
deployed
security information."  I find myself struggling with what that phrase
might
mean, and in considering the charters language ("new protocols out of
scope"), I
would rather say that we'll limit ourselves to, e.g., "security
information that
can be made available within the currently deployed protocol
framework."
"""

I think you could drive a truck through this new wording.

I recall there being strong consensus that we didn't want to dream up
new security information we would like to have and then make
recommendations that depend upon that new information. Such information
could be made available as additional X.509 certificate attributes and
so be "made available within the currently deployed protocol
framework".

If we want to ensure that EV certificates aren't disqualified by the
current wording, I suggest expanding upon the "currently deployed"
qualifier in such a way as to ensure the inclusion of EV.

I think I recall Phil at one point claiming that all Verisign certs are
EV certs, and always have been. Such a claim certainly crosses the
"currently deployed" threshold, in which case, there's no need for an
edit.

I'd like to discuss this edit some more, and so consider this post as
refreshing Mez's one-stale-week consensus barometer. ;)

Tyler

Received on Tuesday, 1 May 2007 13:43:34 UTC