Gervase Markham wrote: > Absolutely - and quite right too. The vetting procedures which apply > to this middle ground are secret and proprietary, and have never been > audited. Well, I'm not sure if this a correct statement. Obviously CA policies and practices are no secrets and published in most cases. Most procedures are defined and disclosed publicly the same way the EV draft is now on show. The relevant CA's were also audited in that respect. >> 1.) White address / tool bar and padlock ON for Domain / Email validated >> only (Class 1). >> 2.) Yellow address / tool bar and padlock ON for Identity / Business >> validated (Class 2 & 3). >> 3.) Green address / tool bar and padlock ON for EV certificates >> (Class 4). > > What benefit is there to users of having a more complex system such as > this? EV _is_ Identity/Business validated. Personally I think the proposed EV /UI changes solve only part of the problem. This is the high end of digital certification and I assume also an expensive one. The majority of businesses will most likely refrain from EV certification for various reasons. This doesn't mean, that properly and reasonable verified entities and the associated certificates are on the same level as for example "domain validated".
If a user must make a decision, if to trust a certain web site operator, it will help him, if he can easily get an indication about what type of verification the entity has undergone. And since a change of the behavior of the UI is discussed right now, I think, we might go one step further and produce something better. I agree, that this requires an additional effort, but so did the Anti-pishing tool and many other things currently featured...our proposal isn't such a huge investment really (my assumption). At last, I highly suggest to introduce a more extensive mouse-over popup than "Authenticated by...". -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
