Well, now that we have a website www.cabforum.org, everyone knows the new standard we have been working on to improve SSL.
I thought I should write a note or two to clarify few issues and make few statements
1)Where the hell this CAB forum came from?
well, in April 05, I thought the time had come to bring together the people in the industry and own up to problems existed so that they could be resolved. One morning , I rang our Competitor Verisign folks and asked them if they would be in. They said np. Then we held the first meeting of this forum in a hotel near wall street in NY, hosted by Comodo.
What do you mean why did I do that? The same reason why I choose to give free firewall, free AV. I believe by bringing the industry together we could create a vehicle to help resolve “trust threats”.
2)What had to be done: The problem was, people who had root keys could issue certs willy nilly. There were no standards to follow or rules to abide with. That’s why some CAs were issuing unvetted certs. So stage one was to set a standard and get everyone to agree that unless they complied with this, their root would be kicked out of the root programme.
of course, then the question was: where do you draw the line for this standard. It was, still is, difficult to figure out. It was important to have a really good validation but still inclusive. Stage one is a good starting point, however we need to continue in making progress and make EV accessible to every legitimate entity who needs it. Identity Assurance is a key component in any commerce and especially so for e-commerce.
3)Why did we have to come up with a new GUI and not simply fixed the yellow padlock?: Well that’s a tough one. I don’t think its fair on the browser guys. Let me explain, there was no standard when browser guys included the root keys of certain CAs, so under what circumstance can they turn around and say, ok we are kicking your root out now? On what basis? There was no standard in the first place! So that would, imo, leave a huge liability for browser guys. Also it would take a lot longer to get the standard affected as there are already multi-year certs out there on the old SSL. And few other reasons that I can’t remember (yes, old age!).
4)Is this a way of CAs making more money? Well yes. But that was not the intended consequences at the begining. It was merely tring to address a problem, which turned out to be a new product that actually cost more money to implement due to its high standard requirement. (come on guys, give me a break will you, we give all desktop security for free!! let us make money somewhere will you(:SHY) )
more will follow as I get more questions/thoughts……
Melih