On Wednesday, July 23, 2014 8:50:38 PM UTC+8, Gervase Markham wrote: > On 23/07/14 10:06, nick.l...@lugatech.com wrote: > > > The status quo today means that it is not possible to discriminate > > > programatically between a DV and OV certificate in a standardized, > > > reliable way. > > > > This is because Mozilla's position is that, in security terms, there is > > no relevant difference. >
Clearly EV is very much the gold standard, but I there is a relevant general difference between EV and DV even if not a security one. It would be nice if Firefox could state that the certificate was DV or EV in a neutral way without making / implying any security difference. > > > This is unreasonable as the validation and assurance on such > > > certificates are very different. > > > > They are different, but not in a way that is reasonably measurable and > > auditable. > > > > The very reason EV (which does have identifying OIDs, and can be > > distinguished programmatically) exists is because when it did not, there > > were a wide variety of practices concerning what was an appropriate > > level of validation for the O field in certificates. (And, I would say, > > _all_ of them were inadequate, some more so than others.) EV sets the > > minimum levels of validation, in a way which is agreed, auditable and > > audited. That meant that we were confident in displaying the O field to > > the user as a trusted piece of data - which we do in the URL bar. > > > > If a cert does not meet the EV standards for information validation, we > > feel you cannot sufficiently trust the O field, and therefore from a > > security perspective there is no difference between that certificate and > > one where the O field is absent. Hence we make no UI distinction between > > OV and DV. > There is a conceptual separation of concerns though from a certificate specifying that it is DV or OV and what, if any, UI would be appropriate to separate the two in a Web browser. No difference is a valid option. An extension to Firefox, for example, may want to show EV style UI in blue for those who understand the difference between the three types of certificate to draw inference from. Presently one could not do so based on standardized information contained within a certificate. Were it mandated that this information be included, Firefox would still be completely free to ignore the information from a UI perspective. Appropriate UI is a completely separate question to a certificate containing this information. > > Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
