We suggest to *remove* any reference of WebTrust or any other audit
requirement from the EV guidelines and leave this part to the *sole
discretion* of the browser vendors - the same way as it happens today.
In this case, no browser vendor has to *compromise* on its own standard
and criteria (for auditing).
The criteria for the issuance of the EV certificates are the EV
guidelines as proposed by the cabforum.org, but the audit requirements
will stay with the software vendor, i.e. Mozilla according to the CA
policy
<http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html>
, Opera by payment of the CA, KDE if the same is accepted in either FF
or IE, and Microsoft according to its WebTrust alliance.
We also suggest to make another change and also *remove* the WebTrust or
"equivalent" reference as membership requirement and instead require to
be present in one of the browsers which are member at the forum. It
would create a wider acceptance of the proposed EV certificates, because
shutting CA's out, because of the sole WebTrust audit requirement (Which
is only maintained by Microsoft) will most likely have a negative effect
(As seen already by bad press articles about the EV certificates).
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390