Policy-Discussion

["Peter Williams" <home_pw AT msn.com>]

First off, unlike https certs that asserted control of a registered name (a
domain name in particular): the main object is disclosed as "Identify the
legal entity that controls a website"

A website is not a name. It's an operating concept, and all URLs that fall
below are presumably part of the website (but only for those URL schemes
that are hierarchical in nature (and not all are)). Let's assume however we
are still in name registration control land, and the URL-name is now the
thing the IA registers, and confirms, where in reality we are registered an
entire class of URLs


Next: "is controlled by a specific legal entity identified in the EV
Certificate". The main object is characterized by the EE cert, not
intermediate certs or Roots. The representation made in the EV cert is what
is intended to control. Whoever does it, using whatever chains of CAcert,
that EV cert states the "claim". An issuer represents that the specific
legal entity controls a website.


What you do see (stupidly) is 3a. "the CA and its Root CA make the EV
Certificate Warranties". That is warranties are, in part, a function not of
the issuer, but a "Root CA".

In section 2, you see the Root taking a control position: making
representations to beneficiaries of various types about the CA. This is
really poor design, as it essentially prevents use of cross-certs that do
policy mapping (e.g. the US bridge CA).

Arguably is "really good design", if your sole goal is to promote
hierarchical PKI.

4a1 is interesting, as it imposes an international compliance obligation on
Root CAs, as they must comply with laws "where they operate". This is bad
(US) lawyering, in my non legal view. Clearly Roots are actively making
warranties, exercising control, and thus they are "operating". Thus their
operations must be in compliance with all laws, even in those were such
operations are not lawful (e.g. They are not licensed). Hmm. Fire the
lawyer, or better still, send him to the US Dept of State for retraining.


4b1 is also fun, since a Root CA must have a website. Presumably a Root CA
can also be a CA issuing EV certs, so one can tell if the Root CA is the
legitimate controller of that website.... What rubbish, in my humble
opinion!


I read 4b1c three times, and have given up. I don't know what it means. I
don't know what a CA's root certificate hierarchy is, given intermediate CA
crosscerts.


5b6 only applies to the CA, as the disclosed, not to the Root CA.


Ok. Enough of this for now. I cannot take any more. I'll try again later. IN
general though, it feels like a camel.













 






-----Original Message-----
From: 
cacert-policy-bounces AT lists.cacert.org
[mailto:cacert-policy-bounces AT lists.cacert.org]
 On Behalf Of IanG
Sent: Tuesday, October 21, 2008 8:44 AM
To: Policy-Discussion
Subject: [CAcert-Policy] EV stuff

Peter Williams wrote:
> Can you give a URL to the full text?


http://www.cabforum.org/EV_Certificate_Guidelines.pdf

Also, there is now a new document I've just discovered:

http://www.cica.ca/index.cfm/ci_id/35128/la_id/1/document/1/re_id/0

Which is a set of new criteria for audit.  If you can't download
that, ping me.


> I've never read it (way after my time...)


Welcome to the Hotel California ...

iang


> -------------
> 
> 
> Ah, here it is:
> 
> (3) The CA and/or its Root CA MAY self-insure for liabilities that
> arise from such party's performance and obligations under these
> Guidelines provided that it has at least $500 million in liquid
> assets based on audited financial statements in the past twelve
> months, and a quick ratio (ratio of liquid assets to current
> liabilities) of not less than 1.0.

_______________________________________________
Have you passed the Assurer Challenge yet?
http://wiki.cacert.org/wiki/AssurerChallenge

CAcert-Policy mailing list
CAcert-Policy AT lists.cacert.org
https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy