Gervase Markham wrote:
Robert Sayre wrote:
I understand what the goals are. I don't share them. I think telling
our users that EV cites are "more secure" is a mistake.
Presumably because you don't believe the additional vetting presents a
higher barrier to fraudsters? If so, could you elaborate on why it doesn't?
I believe it presents a higher barrier. Since there is no technical
advantage to EV, I am not sure that will matter, once ways of
manipulating the EV system are discovered by criminals (does anyone
think they won't figure something out?). I don't think Mozilla should
jump in right away. This is unpleasant, because it would then appear
that IE has a "feature" we lack. So, I understand the desire to go ahead.
...
Alternatively, we could allow EV for a subset of the audited CAs - which
is a possibility I mentioned might happen in exceptional circumstances -
but on what grounds (other than obvious disregard for the guidelines)
would we exclude CA A and include CA B?
We will probably arrive at this state if we are at all serious. We need
to have a clear definition of "obvious disregard" and the consequences,
so the event doesn't become a negotiation.
- Rob
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
