On Thu, July 24, 2014 8:59 pm,
nick...@lugatech.com wrote:
> So, based off of the comments that have been made, please can Mozilla
> support such a change?
>
> If not, what would Mozilla's objections be that are in scope to the
> question/issue? Presently, none appear to have been articulated.
>
> The immediate benefit to Mozilla would be consistency and conformity among
> the OV certificates that get issued. This is because, as Jeremy mentions,
> they will be bound by the requirements that inclusion of the OID brings as
> it is an assertion of compliance.
This is a tautology. There is no benefit except consistency, and there is
no benefit to consistency.
There is no need for an assertion of compliance - CA's make those
assertions themselves.
Further, the idea that a single OID is suitable for this is laughable, in
as much because there's no "single" version of the BRs that's fixed and
immutable.
As you can see from
https://cabforum.org/baseline-requirements-documents/
, there are many versions. What you, minimally, want if you wish to
programatically express some value (and if it's not programatically
expressible, then there's no way there's value in manual inspection, since
there's no algorithm that people can use), is that the exact version of
conformance to the BRs is expressed in the cert.
>
> As has been said but probably needs to be reiterated, we all need to be
> careful not to conflate, confuse and overload the issue with the entirely
> separate and distinct questions that surround handling of the certificate
> in code and what appropriate UX is. These are clearly far more
> contentious, perhaps political in nature, and should be considered and
> discussed independently to this.
I think we need to be careful in suggesting arbitrary and capricious
requirements that fail to move the security needle further in a particular
direction.
Do I wish everyone would include the u in favourite and colour? Sure. Do I
think it should be mandatory to get a secure UI? No.
What's still missing is an articulation of value beyond the mere value of
consistency (which itself is not met).
And, of course, let's not forget that it would require CAs to re-do their
entire cert hierarchy - policy OIDs flow down from the root; this is, for
example, how EV is validated. Requiring this would require redoing the
cert hierarchy semi-regularly, and would still fail to accomplish the
goals the next time a new version of the BRs that tangibly altered the
requirements came out and a new OID had to be assigned.