[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: [openssl-users] RE: Creating Extended Validation SSL
From:       Erwann ABALEA <erwann.abalea () keynectis ! com>
Date:       2010-09-27 8:32:25
Message-ID: 20100927083225.GS4221 () keynectis ! com
[Download RAW message or body]

Bonjour,

Hodie V Kal. Oct. MMX, Gumbie scripsit:
>   I apologize to all for not looking into this more, before asking.
>   It isn't just a matter of adding the proper extensions. The
>   various browser software actually has the corporate policy OID
>   hard coded into the browser code. At first glance I would never of
>   thought this, as the delay to getting your product to the web
>   market may be a factor.

Please be more explicit about "your product". Is "your product" a
device? A server? If yes, then the delay is clearly not an issue, an
EV certificate can be bought and delivered in 1 or 2 days, if you're
ready for the necessary validations (EV stands for Extended
Validation).

>   Again unless you pay outrageous fees for
>   basically getting a notary seal from one of the certificate CA's
>   that have their policy already in place or you're out of luck!

Outrageous fees? A free SSL certificate is exactly of this value.
Zero, as nearly no verification is performed, or they're completely
automatic ones (i.e. send a challenge to a predefined email address,
wait for the answer, update the database to say 'OK, this guy controls
this address').

An EV certificate costs money:
 - robust facility, with safes, HSM, access controls, guaranteed
   connectivity (to provide revocation information), redundant sites
 - trained employees, and employees background screening (done on a
   regular basis)
 - up-to-date procedures; you seem to have downloaded the 1.0 version
   of the guidelines, dated 2007, an 1.2 version is already out, some
   work is currently done to update it; CAs must follow this work, and
   be informed about cryptography advances
 - "enrollment" of the CA on end-user products (some of them require
   work to be done, some of them require payment)
 - most sensible operations performed under screening and validation
   of a notary (namely key ceremonies)
 - audits performed each year
 - certificate request validations performed manually (i.e. by
   humans), with access to different information repositories (some of
   them may not be free), contact of the entity requesting the
   certificate, gathering and controlling necessary documents (ID
   information, for example)
 - usually using a proprietary software, written by the company
   itself, with quality controls, certifications, documentation,
   testing, etc.

All this has a price.

Try to live in a free world if you want to, but be prepared not to get
paid at all.

>   Again it's not the fact you have to meet the guidelines, my issue
>   is with the fees places like (no names mentioned) charge for
>   certificates. I do think they should get paid for work done, but I
>   don't think the current fees are in proportion with the product /
>   service provided...

I think you should have looked a bit more into it, before complaining
:)

> Sorry if I offended anyone,

No offense, really. (We provide EV certificates, among other things,
and everything described above is really done)

-- 
Erwann ABALEA <erwann.abalea@keynectis.com>
Département R&D
KEYNECTIS
11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France
Tél.: +33 1 55 64 22 07
http://www.keynectis.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]