Bonjour, Hodie V Kal. Oct. MMX, Gumbie scripsit: > I apologize to all for not looking into this more, before asking. > It isn't just a matter of adding the proper extensions. The > various browser software actually has the corporate policy OID > hard coded into the browser code. At first glance I would never of > thought this, as the delay to getting your product to the web > market may be a factor.
Please be more explicit about "your product". Is "your product" a device? A server? If yes, then the delay is clearly not an issue, an EV certificate can be bought and delivered in 1 or 2 days, if you're ready for the necessary validations (EV stands for Extended Validation). > Again unless you pay outrageous fees for > basically getting a notary seal from one of the certificate CA's > that have their policy already in place or you're out of luck! Outrageous fees? A free SSL certificate is exactly of this value. Zero, as nearly no verification is performed, or they're completely automatic ones (i.e. send a challenge to a predefined email address, wait for the answer, update the database to say 'OK, this guy controls this address'). An EV certificate costs money: - robust facility, with safes, HSM, access controls, guaranteed connectivity (to provide revocation information), redundant sites - trained employees, and employees background screening (done on a regular basis) - up-to-date procedures; you seem to have downloaded the 1.0 version of the guidelines, dated 2007, an 1.2 version is already out, some work is currently done to update it; CAs must follow this work, and be informed about cryptography advances - "enrollment" of the CA on end-user products (some of them require work to be done, some of them require payment) - most sensible operations performed under screening and validation of a notary (namely key ceremonies) - audits performed each year - certificate request validations performed manually (i.e. by humans), with access to different information repositories (some of them may not be free), contact of the entity requesting the certificate, gathering and controlling necessary documents (ID information, for example) - usually using a proprietary software, written by the company itself, with quality controls, certifications, documentation, testing, etc. All this has a price. Try to live in a free world if you want to, but be prepared not to get paid at all. > Again it's not the fact you have to meet the guidelines, my issue > is with the fees places like (no names mentioned) charge for > certificates. I do think they should get paid for work done, but I > don't think the current fees are in proportion with the product / > service provided... I think you should have looked a bit more into it, before complaining :) > Sorry if I offended anyone, No offense, really. (We provide EV certificates, among other things, and everything described above is really done) -- Erwann ABALEA <erwann.aba...@keynectis.com> Département R&D KEYNECTIS 11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France Tél.: +33 1 55 64 22 07 http://www.keynectis.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
