On 23/07/14 10:06, [email protected] wrote: > The status quo today means that it is not possible to discriminate > programatically between a DV and OV certificate in a standardized, > reliable way.
This is because Mozilla's position is that, in security terms, there is no relevant difference. > This is unreasonable as the validation and assurance on such > certificates are very different. They are different, but not in a way that is reasonably measurable and auditable. The very reason EV (which does have identifying OIDs, and can be distinguished programmatically) exists is because when it did not, there were a wide variety of practices concerning what was an appropriate level of validation for the O field in certificates. (And, I would say, _all_ of them were inadequate, some more so than others.) EV sets the minimum levels of validation, in a way which is agreed, auditable and audited. That meant that we were confident in displaying the O field to the user as a trusted piece of data - which we do in the URL bar. If a cert does not meet the EV standards for information validation, we feel you cannot sufficiently trust the O field, and therefore from a security perspective there is no difference between that certificate and one where the O field is absent. Hence we make no UI distinction between OV and DV. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
