On 06/12/2018 21:16, Viktor Dukhovni wrote:
On Dec 6, 2018, at 3:06 PM, Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu>
wrote:
So, a CA that's supposed to validate its customer before issuing a certificate, may do a
"more sloppy job" if he doesn't cough up some extra money.
I think Peter is exactly right here. CA either do their job, or they don't. If
they agree to certify a set of attributes, they ought to verify each one of
them.
No, Uri you get it wrong. Different levels of certainty is the
point.
Consider it like this:
DV: A regular printed business card that you can get from a
vending machine, proves very little.
The CA just checks that the person or robot requesting the
certificate has some semblance of control over the domain
name at the time of issuance. Price is as low as $0.
OV: A debit card with the supposed owners name on it, available
from a number of companies that do minimal checking, but still
a better ID proof than a business card.
The CA must check that the company name and address are true,
using some basic steps such as checking that a company by that
name exists at that address and confirms they are the ones
requesting the certificate. There is no check that the company
name is an official name or that the company has a business
license etc. A traditional lemonade stand run by children can
potentially get an OV certificate if they stay in one place for
the time it takes to get the certificate. (A CA agent visiting
the company site is enough checking of company existence for OV).
EV: A proper photo ID with serious identity checking before being
issued, like a government passport. Includes the holders
legal name and government ID number (literally), which can be
used to look up the subjects legal status.
The CA must check public records, and do some hard checks that
the request is officially from that company. There is a 50+
pages official specification listing how every tidbit of
this information must be checked. The CA cannot limit
its own liability for certain failures to less than $2000.
Each step up the ladder gives the user more certainty the
person/website is who it says it is, but is more expensive
and difficult to obtain for the person/website. Each step also
costs more money for the CA to check, because there is more work
to do.
The "make it look green" and "fights crime" slogans were just
the old marketing campaign, repeated endlessly as a more
efficient sales pressure than the real explanation.
While the point of EV was that it certified a binding to a (domain + business
name)
rather than just a domain with DV, it turned out that displaying the business
name
was also subject to abuse, and the security gain proved elusive.
https://www.troyhunt.com/extended-validation-certificates-are-dead/
A traveling salesman for a cloud provider.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users