Heikki Toivonen wrote: > > Actually, I am almost certain that you could register a company with > that name in the US. I remember reading, many years ago, that there were > companies called "Whatever", "I don't care", "The cheapest" and similar > weird names. Weird, that is, until you realized that they were long > distance phone companies. The way that named worked was that a user > would call an operator to make a long distance phone call, and the > operator would ask which long distance company the caller wanted... > Well, I can't argue with that, however a company name usually includes Inc, Ltd or AG or whatever....More than that, would have a human person, as required for Class 3 certificates, reviewed the certificate request, this shouldn't and wouldn't have been issued. BTW, the various definitions for Class 3 are very similar to the EV standard...so that was not the issue here really...I guess, this went almost off-topic a little. >> Sorry, perhaps I didn't made myself clear enough...The new guidelines >> for auditing EV by WebTrust might be just perfect, but the problem is >> the monopoly of authorized auditors by WebTrust. This is, where the >> Mozilla CA policy provides alternatives, which is from our point of view >> very important. >> > > The EV draft states auditing by WebTrust *or equivalent*. > Please define *equivalent*. The Mozilla CA policy defines it clearly, which should be done as well with the EV guidelines, otherwise it doesn't have any meaning and depends on interpretation! > The identity of the CA would add value only if the user had any way of > actually being informed what it meant and how trustworthy they are in > their business. Wait a minute! When you open the tab of the certification details, doesn't it say what it means? Do you need special education for this? It shows the details of the certificate - subscriber and issuer of it - and any other note the CA has bothered to include. So if you read "Persona not validated", "Domain validated only" or "Fully Verified" doesn't it tell about it? More than that, it might help, if you can compare the name and details of the subscriber with the web site you visit... > Even if Verisign started issuing 10% of their certs to > obvious, known criminals, it would be unlikely to reach most people who > use web browsers. > Which is out of the scope of certification, so depending on the procedures, issuing Class 3 or EV certificate to obvious, known criminals shouldn't be possible...otherwise what is gained with it?! > Some requirements for that to happen would be for major news outlets > reporting that, and writing in the non-tech section explaining what > people should be doing to avoid being bitten by that. I just don't see > that happening, because the major news item of the day is Britney's > divorce instead... > > I think you paint the casual user just too "stupid". If he knows to operate a computer and browser, than he knows to read the certificate details. Otherwise lets just omit them perhaps? If the user gets burned by a web site, how does he know what to do, if he is indeed so helpless and uneducated?
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
