Alaric Dailey wrote:
and we aren't talking about "Jumping to" because MS and Verisign
invented this new type of cert?
No, they didn't. It was invented by a consortium of CAs and major
browser vendors.
And aren't "High Assurance" certificates (as they exist now from
places like Comodo) supposed to be doing the same thing?
Supposedly. However, as Comodo won't tell you exactly what they do to
make it "High Assurance", you can't tell.
More
assurances, and higher prices mean nothing, if the browsers don't
provide a UI for the users to validate the certs (and what those certs
mean) easily.
What do you mean by "a UI to validate the certs"? What would such a UI do?
As someone who runs an SSL website, given a choice between the new EV
certs and the older certs (ignoring price), why bother? I get nothing
out of it, my users get nothing out of it (except maybe a green bar).
It depends what you are doing on your SSL website. If you need people to
find your site via a search engine and then immediately trust you with
their credit card number, it may well be what you want. If you don't, it
may not.
Remember there are least 2 Free CAs listening and contributing on this
list, that means monetary barriers (assuming a steep price from
Verisign) won't be an issue for phishers.
EV is not designed to exclude phishers by high monetary prices. Whatever
the price is, it's a side-effect of the need to do additional validation
- which is the barrier. A phisher either has to give away information
about himself, of expend a lot of money spoofing the various indicators
and sources that the CA uses to cross-check. If he does the former, he
can be arrested. If he does the latter, he won't get a return on his
"investment".
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
