From: Gervase Markham<g...@mozilla.org> You forgot 0) Having sufficient trust in the validation of that information to want to present it to users. That is what we do not have for organizational information with anything short of EV.
Two years ago, before the CA/Browser Forum issued the Baseline Guidelines, that was a reasonable position. There's been considerable progress since then. CA/Browser Forum members now commit to the Baseline Guidelines if they issue certificates with Policy OIDs associated with data standards and relying party assurances given in their Certification Practice Statement. In other words, there are standards for this now. Most CAs who issue SSL certs now recognize three levels of certificate. The terminology varies. Some use the terms DV, OV, and EV. Many European CA's use the terms Class 1, 2, and 3 certificates. SwissSign calls them Silver, Gold, and Platinum. It's necessary to read through all the Certification Practice Statements and collect the relevant Policy OIDs associated with each level of assurance. I have been doing this. The current data can be seen at https://github.com/John-Nagle/certscan/tree/master/data/catypetable.ods which is an OpenOffice/LibreOffice spreadsheet. As you can see, almost all the big players have an OV-level product. The main exception is Comodo, which only offers two levels, DV and EV. Some of the European CA's don't offer DV certs at all. Some of the CPS documents are hard to translate. Help with the problems listed in the "Notes" column of that table would be appreciated. The CV/Browser Forum and the CAs have done most of the job. Now we have good organization data to use. John Nagle SiteTruth _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
