As a member of the CA/Browser Forum, we want to share our experiences with trying to overcome hurdles with trust anchor programs during recognition processes. This is not a complaint issue, we just want to discuss it and open to any kind of advice.
Oracle is not a member of the Forum, yet we want to mention that we have spent a lot of efforts to complete the application form. The only answer was that we had been rejected without giving any reason. They have said please apply 6 months later. We have asked for the reasons of rejection and what kind of improvements should we make to be successful. Simply, there was no response.
About Google, you probably all know, but let me remind once more that, the roots which you can give EV certs should be hardcoded to Chromium. Additionally, Android, as an OS, is a separate project where you should apply for this recognition process. It has been more than two years that neither our root is EV-enabled nor our root is recognized by Android.
The initial phase for our EV enablement had been planned to January 2013 and due to the case we experienced last year the process was delayed substantially, even more than a year. Again you know that we showed our professionalism in our reaction to the situation strongly and took every single action we could take and we had to take in the period after that case had happened.
Now that we have documented our process and took additional special audits as well as our periodic follow up audits for ETSI TS 102 042 certification, including all the provisions of CAB Forum BRs and EV Guidelines, we feel and truly believe that we should be on the line for any root inclusion and EV enablement process in terms of browsers’ root programs.
We have been in close contact with Google since last year about our EV enablement and root update for Android and we are trying to get a definite roadmap. We have already announced a few delays to our customers in our SSL market and need to inform them professionally and with certainty as soon as possible.
Google has said that we are approved in Android, yet it is said to take place in one of their future releases. No time period for release has been given. The customers are asking for it. How can you say them we were done, but we do not know when you can start seeing the green EV indications!?
In summary, we want that such processes should be transparent and open. There should be a followable roadmap and some objective criteria. More than a year is a huge amount of time.
If there are any other criteria for selection or recognition, let us know. The recognition process should not be a bottleneck for this ecosystem. Hence, at this point, we would like to emphasize once more that we are ready to take any additional actions to speed up the processes considering root inclusion.