Duane wrote:
Gerv is pretty adamant about supporting EV, and doesn't seem swayed at
all by any arguments and discounts everything everyone has said in the
past, yet so readily accepts Verisign's proposals...
Your axe-grinding just makes you more likely to be ignored. These are
not "Verisign's proposals", spin via The Register notwithstanding.
ok this is the crux of my argument, the problem I have isn't with the
proposal, it is with the assumptions being stated as fact surrounding
it, ie "This will make users safer" which is a load of crap, since most
people shopping online may or may not be in a position to sue, and law
enforcement may or may not be more willing to do anything about any
transgressions.
If law enforcement is unwilling to prosecute fraud, then all that's left
is reputation. For reputation, you need to know who you are dealing
with. EV provides that - even on first contact.
We can assume (with some certainty, anyone that has dealt with small
companies will know how much they can penny pinch) because of cost very
few people will purchase EV certificates, in my opinion it will be a
really small amount, perhaps 1, or at most 2% of all certificates
purchased (I think someone else mentioned that Verisign only expects
1%),
The worst-case scenarios presented by members of the CA Browser forum
(in the context of an argument where it was to their advantage to
minimise the numbers) was 20%.
so we are left with a situation of EV certificates only covering 1%
of business,
1% (or 20%) of businesses is definitely not the same as 1% (or 20%) of
_business_. Because not all businesses do an equal amount of business.
If only the top 10,000 retailers on the web adopted EV (and I hope it
will be much more widely adopted than that, in time), for a large number
of web users that would be every site they use.
People have been creating relationships for a very long time with
business without having some 3rd party tell them the relationship will
be good or bad (word of mouth is still the best form of advertising).
Indeed they have, in the real world. However, there are various things
about the real world which have no online analog. Primarily, if I visit
132, Church Street in London to a particular shop, I have numerous cluse
from the location and appearance of the shop as to its age and
trustworthiness. If I buy something from a shop, and it turns out to be
defective, I am pretty certain of finding that shop again if I return to
the same address.
Neither of these things are true online. A business set up an hour ago
can look like one which has been trading for ten years; and a business
at one address today can be gone tomorrow.
Therefore, the "people have been creating relationships for a long time"
argument does not translate directly from the real world to the online one.
The bigger issue here is identity checks don't show trust, they show
identity, Gerv is saying this is ok because the checks are extensive
enough that you will be able to sue someone, but this isn't always the
case, take Enron for example, I'm sure before all that happened with
them people would have said they were trustworthy.
I am happy to say that preventing another Enron is out of scope for EV.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
