Gervase Markham wrote: > Boris Zbarsky wrote: >> No, he means "once all the reputable businesses have EV certs, >> it'll be to the CA's financial advantage to introduce a new 'even >> more trustworthy' type of cert (call it EEV), so they can sell all >> those businesses EEV certs too". > > The CAs can't provide a business case for that unless the browsers > agree to have yet another UI differentiator for these new EEV certs. > And that's pretty unlikely, given that we want to reduce UI > complexity and make security decisions easier. We'd have no motive > to support EEV, even if they went off and invented it.
Uh yeah... and we aren't talking about "Jumping to" because MS and Verisign invented this new type of cert? And aren't "High Assurance" certificates (as they exist now from places like Comodo) supposed to be doing the same thing? More assurances, and higher prices mean nothing, if the browsers don't provide a UI for the users to validate the certs (and what those certs mean) easily. As someone who runs an SSL website, given a choice between the new EV certs and the older certs (ignoring price), why bother? I get nothing out of it, my users get nothing out of it (except maybe a green bar). And it doesn't solve any issue that this ( http://www.wikidsystems.com/WiKIDBlog/categories/Mutual%20Authentication ) doesn't solve better. Remember there are least 2 Free CAs listening and contributing on this list, that means monetary barriers (assuming a steep price from Verisign) won't be an issue for phishers. <http://cert.startcom.org/?app=109> _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
