The CAB Forum has been especially active over the last two months, proposing a number of significant changes to the Baseline Requirements and the EV BRs. The focus has been primarily on the EV BRs and continued efforts to promote the differentiation of EVs. While not explicitly stated, many of the CAB Forum members have suggested this is necessary due to lower than expected adoption of EV certificates.
This has resulted in a new focus on reducing the North American-bias of many of the EV guidelines, a topic which was largely undiscussed until now. These (potential) changes are broken down below.
Ballot 121 – EVGL Insurance Requirements
This ballot failed (with strong contention). It was proposed by TrendMicro and asserts that the current requirements that EV certificates offer insurance should be completely abolished. TrendMicro and Mozilla have fairly strong evidence that there is little to no use for the insurance policies currently advertised to customers as an indicator of trust. Not only has there never been a time when the insurance policies were used, but it is also believed that even if invoked they would not be legally valid, and therefore does nothing for the end customers.
This ballot was introduced because it is believed that it hampers competition amongst CAs, as these policy requirements are a significant financial burden for smaller companies. It was also cited that in other countries outside of North America, these policies are much more expensive.
However opponents to this change claim customers will perceive a lack of insurance as a lack of faith in the certificates reliability. They also cite certain countries which have insurance requirements outside of the CAB Forum rules, which would leave CAs in those countries still footing a bill whilst others would no longer have to pay at all. DigiCert is the biggest opponent.
The other problem to note is that this would simply do away with the requirement to offer insurance, not the ability. So it is very likely that Comodo and Symantec would keep their insurance anyway, as it sounds good despite offering no actual protection.
This could be a good or bad thing for The SSL Store. While we currently promote the insurance policies as a trust indicator and a way to upsell more expensive certificates, it seems superfluous to the core benefits of CA-signed SSL. If vendors decided to drop the insurance it would reduce their operating costs, which could mean lower vendor pricing. However the costs of these policies should be thought of as fixed costs, not scaling costs. Therefore it may allow smaller CAs, whom we don’t resell, to reduce costs, whilst bigger companies like Symantec and Comodo may see almost no change to their overhead whether they keep the policies or not.
Whilst this ballot failed I fully expect it to be reintroduced and for significant changes to the insurance requirements to pass.
Ballot 122 – Verified Method of Communication
This ballot failed to pass. It was addressing the increased difficulty surrounding telephone verification. The Forum recognized that many companies no longer see landlines as important and that it is increasingly becoming a problem locating third-party verified phone numbers for many companies. The Forum did not want to discourage OV/EV adoption due to this reason, and instead wanted to move to a more generically defined “verified method of communication” to satisfy the callback requirement. This received wide support from CAs, not a single member voted no. However Mozilla and Microsoft voted no, due to the lack of specificity surrounding these new methods of communication.
This proposal will be redrafted and reintroduced sometime in the future, with more detail given to satiate the Browsers. Some CAs seemed quite open to adopting SMS, Skype, and Twitter as methods of communication. It would obviously be a significant boon to The SSL Store if alternatives to landline callback were available.
Ballot 123 – Revalidation of Information
This ballot is in pre-voting stages. It will address if certificate validity should begin during the validation process. It has two major components.
Its first proposal is that renewals could only reuse previous validation information if it was completed within 30-days of the original certificate’s generation, and this does seem to be favored by multiple CAs.
Its second proposal only seems to be supported by a few more conservative CAs. Some want the “upper bound of [certificate lifetime] limited to the oldest piece of information. However, some CAs want it to be the newest piece of information (i.e. upon certificate issuance).” Therefore if it took a customer 3 months to get validated, those would count as the first three months of their certificate. This would put significant additional pressures on helping customers get through the validation process quickly.
This would obviously be a difficult requirement to communicate to customers. I do not expect it to pass with such changes, however the first proposal is likely to pass in some form. This would probably not affect The SSL Store or its customers however, as CAs would still be able to look at previous information, and would just need to revalidate it. This means the most difficult issue of “finding” information wouldn’t need to be recompleted, and most (if not all) of the time investment required in validation would be incurred directly by the CAs.