Eddy Nigg (StartCom Ltd.) wrote:
Gervase Markham wrote:
Absolutely - and quite right too. The vetting procedures which apply
to this middle ground are secret and proprietary, and have never been
audited.
Well, I'm not sure if this a correct statement. Obviously CA policies
and practices are no secrets and published in most cases. Most
procedures are defined and disclosed publicly the same way the EV draft
is now on show. The relevant CA's were also audited in that respect.
They were audited (if they had a WebTrust audit) to see how closely they
followed their procedures. No assessment was made as to the rigour or
quality of those procedures.
Personally I think the proposed EV /UI changes solve only part of the
problem. This is the high end of digital certification and I assume also
an expensive one.
Why do you assume so? Has your CA done an assessment of what it might
cost for you to issue certificates to an EV level of validation?
The majority of businesses will most likely refrain
from EV certification for various reasons.
Can you be more specific than "various reasons", and explain the
reasoning behind your "most likely"?
If a user must make a decision, if to trust a certain web site operator,
it will help him, if he can easily get an indication about what type of
verification the entity has undergone.
Indeed. And I submit that the user has two possible states in mind:
"enough" and "not enough".
And since a change of the
behavior of the UI is discussed right now, I think, we might go one step
further and produce something better. I agree, that this requires an
additional effort, but so did the Anti-pishing tool and many other
things currently featured...our proposal isn't such a huge investment
really (my assumption).
I am not arguing against your proposal on the grounds that it would be
additional effort.
At last, I highly suggest to introduce a more
extensive mouse-over popup than "Authenticated by...".
That may well be worth doing, but I don't see it as core to this
particular discussion.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
