Gervase Markham wrote: > Alaric Dailey wrote: >> and we aren't talking about "Jumping to" because MS and Verisign >> invented this new type of cert? > > No, they didn't. It was invented by a consortium of CAs and major > browser vendors. > >> And aren't "High Assurance" certificates (as they exist now from >> places like Comodo) supposed to be doing the same thing? > > Supposedly. However, as Comodo won't tell you exactly what they do to > make it "High Assurance", you can't tell. > >> More >> assurances, and higher prices mean nothing, if the browsers don't >> provide a UI for the users to validate the certs (and what those certs >> mean) easily. > > What do you mean by "a UI to validate the certs"? What would such a UI > do? I don't know. What I do know is, that different colored bars are going to be ignored just like the lock.
> >> As someone who runs an SSL website, given a choice between the new EV >> certs and the older certs (ignoring price), why bother? I get nothing >> out of it, my users get nothing out of it (except maybe a green bar). > > It depends what you are doing on your SSL website. If you need people > to find your site via a search engine and then immediately trust you > with their credit card number, it may well be what you want. If you > don't, it may not. > >> Remember there are least 2 Free CAs listening and contributing on this >> list, that means monetary barriers (assuming a steep price from >> Verisign) won't be an issue for phishers. > > EV is not designed to exclude phishers by high monetary prices. > Whatever the price is, it's a side-effect of the need to do additional > validation - which is the barrier. A phisher either has to give away > information about himself, of expend a lot of money spoofing the > various indicators and sources that the CA uses to cross-check. If he > does the former, he can be arrested. If he does the latter, he won't > get a return on his "investment". So what you are telling me is that any class 3 server cert from CAcert is just as good, if not better than, an EV certificate because the person (ignoring weaknesses in the system, like paying off Assurers) went thru the trouble of getting validated in Person, by a minimum of 2 people? Maybe CAs that follow such rules should get an Aquamarine bar, to differentiate them. <http://cert.startcom.org/?app=109> _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
