Gervase Markham wrote: > They were audited (if they had a WebTrust audit) to see how closely > they followed their procedures. No assessment was made as to the > rigour or quality of those procedures. WebTrust or not, is not a function here! But an audit confirms the procedures and controls in place. The policy and practices of the CA are the basis of this assessment, which is publicly available! Therefor they are not secret and proprietary, which was your original wrong statement! And yes, the policy and practices define the quality of those procedures! >> Personally I think the proposed EV /UI changes solve only part of the >> problem. This is the high end of digital certification and I assume also >> an expensive one. > > Why do you assume so? Has your CA done an assessment of what it might > cost for you to issue certificates to an EV level of validation? Not yet obviously! There are certain indications in the draft, which suggest high costs for the CA and therefore for the subscriber. >> The majority of businesses will most likely refrain >> from EV certification for various reasons. > > Can you be more specific than "various reasons", and explain the > reasoning behind your "most likely"? Many companies, specially smaller ones, will have various problems to satisfy the requirements of the EV standard in addition to the most likely high costs entailed with the extensive checking! >> If a user must make a decision, if to trust a certain web site operator, >> it will help him, if he can easily get an indication about what type of >> verification the entity has undergone. > > Indeed. And I submit that the user has two possible states in mind: > "enough" and "not enough". This depends on the level of risk involved! Enough and not enough is not something general, whereas enough for A, might be not enough for performing B and otherwise. We suggest to give an indication HOW rigorous a subscriber was verified. According to this indications a relying party can make a proper decision if to proceed. >> And since a change of the >> behavior of the UI is discussed right now, I think, we might go one step >> further and produce something better. I agree, that this requires an >> additional effort, but so did the Anti-pishing tool and many other >> things currently featured...our proposal isn't such a huge investment >> really (my assumption). > > I am not arguing against your proposal on the grounds that it would be > additional effort. Good! Therefore we should focus on how the UI can be improved properly to give the most and best information to the user, about how a digital certificate was processed. Your suggestion of enough or not enough is just the padlock in another form! Not much is gained here...You might just leave it as is! >> At last, I highly suggest to introduce a more >> extensive mouse-over popup than "Authenticated by...". > That may well be worth doing, but I don't see it as core to this > particular discussion. Because valuable information is included in a digital certificates, such as details about the subscriber, issuer and additional notes of the CA. Displaying this information might help to prevent user mistakes and provide indication about the certificates policy etc.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
