• Home
• CA/Browser Forum
• EV SSL Certificates
• Objectives
• Vetting Process
• Certificate Contents
• FAQ

Guidelines for the Processing of Extended Validation Certificates, Version 1.0, Errata

1. Acceptable audits

Effective 13 Feb 2009

1.1 Delete the following paragraph from Section 6.1:

"An application developer shall recognize a CSP that is qualified to issue EV certificates by means of the CSP's audit report. The application developer must check that the report was issued by an auditor certified to conduct audits in accordance with an acceptable audit program. The report must be current and it must identify no outstanding deficiencies."

Insert the following paragraph:

"An application developer shall recognize a CSP that is qualified to issue EV certificates by means of the CSP's audit report. The application developer must check that the report was issued by an auditor certified to conduct audits in accordance with an audit program approved by the CA/Browser Forum as recorded in [ISSU] or approved errata. The report must be current and it must identify no outstanding deficiencies."

1.2 Delete the following paragraph from Section 14:

"Perhaps the most serious threat to the security of extended validation is the possibility that any one of the CSPs upon which the application relies fails to conform, or maintain conformance with, the EV requirements for issuance and management [ISSU]. The main safeguard against this possibility is the CSP audit. Therefore, it is important that the application developer confirm that the CSP's audit is current, identifies no deficiencies and was conducted by a properly qualified auditor. The audit should provide a level of assurance equivalent to that of a WebTrust for CAs EV audit. See:

http://www.webtrust.org/index.cfm/ci_id/43988/la_id/1.htm"

Insert the following paragraph:

"Perhaps the most serious threat to the security of extended validation is the possibility that any one of the CSPs upon which the application relies fails to conform, or maintain conformance with, the EV requirements for issuance and management [ISSU]. The main safeguard against this possibility is the CSP audit. Therefore, it is important that the application developer confirm that the CSP's audit is current, identifies no deficiencies and was conducted by a properly qualified auditor. The audit program must be approved by the CA/Browser Forum as recorded in [ISSU] or approved errata. In general, claims of equivalence to an approved audit program are not acceptable."

Home ¦ CA/Browser Forum ¦ EV SSL Certificates ¦ Objectives ¦ Vetting Process ¦ Certificate Contents¦ Documents
Contact CA/B Forum
Copyright © 2006-2008 All rights reserved.