Hi Gervase, *Please read this mail carefully!*
Gervase Markham wrote:
There are valid roles for domain-control certs - for example, if I get a Welcome pack from my ISP saying "Get your secure webmail at https://webmail.isp.net";, then they doesn't need anything more than a domain control cert.Obviously there is a need for all kinds of certification as you indicated here and it doesn't make "domain validated" or "reasonable validated" or "extended validated", bad, better or good. Domain validated certificates are excellent for the intended purpose....For your web mail, control panel, forum and whatnot they are green as in EV ;-)
For small purchases at some online shop (lets say up to 100 $ per purchase), reasonable validation might be in my opinion sufficient. It also means, that you most likely will not start procedures to sue the other party - so it's an option and you could. However there is a risk and it's a risk many of you are willing to take (almost daily). Similar risks exist when making a purchase in a foreign town, foreign country, catalog purchase etc. or by simply ordering a pizza by phone...
But when accessing your bank account, you want be 100% sure, that only your bank can have a certificate for its domain name and therefore your bank most likely validated extensive and thorough. But since your relationship with your bank happened out of the scope of the Internet and you most likely visited a branch of the bank, there is no problem with trust in relation to the web site (and with the associated certificate). You simply know, that you arrived at the correct address and it's safe to exchange information with your bank.
This is what certificates are mainly good for and I believe a solution for other web sites which need to build up trust with its potential customers is out of the scope of SSL certification. A different forum and/or organization could provide such a solution perhaps and that's why I also believe, that the approach the EV/Browser forum is taking, _is wrong_, because it pretends and gives to the customer an illusion of being trustworthy and safe. It's not! It could even backfire at some point!
However the problem is, how to present this in the UI, since content can't be judged by the browser and yes, I believe the user must learn to make decisions. My stance is, to help the user as much as possible to make the right decision, and I offered one solution. There might be other and better ideas perhaps...
However pretending that EV is the best thing since sliced bred and it must be supported and implemented the way the CAs would like to have it, because it will solve all problems on the Internet and beyond, is a mistake...
EV's success is certainly not guaranteed. But if 200 Paypal customers have their account details stolen every day, and this becomes 150 because the other 50 IE 7 users go "no green bar - I won't enter my password" then that's obviously worth it for Paypal.
Two comments here:First: Sites like Paypal, eBay and Amazon are unique and there aren't that many actually. For this sites one might look for a different solution perhaps. However it must be very clear, that businesses operating sites in that scale and size, are and must be aware of the risks they are taking! They must be prepared to defend themselves against attacks and must be willing to protect their customers - even if this means to reimburse a customer should he have fallen victim! It is first and foremost the risk and responsibility of the operators of this web sites! They are conducting their business they way they want to do it and nobody forced them into this. When operating such a online business, one has to calculate also the risks involved and be prepared accordingly. Except that, I believe, that these site operators are insured accordingly and know about all this very well!
Therefore I believe, that we (Browser vendors and CAs) are not, and should not, be the front line defense of this handful of web sites! It's perhaps not even in our interest to do this...why should we? These web site operators should learn how to defend themselves and their customers. Technology exists or can be invented - for example authentication procedures which are unique to their site...Many different ideas come to my mind here...
But the core question remains: Why should Mozilla take responsibility of a business which does not even belong to Mozilla?!!! It's _their_ business, _their_ profits and _their_ responsibility! Let them find _their_ own solution for _their_ own problem! These are huge enterprises which have the resources and possibilities to find their own solutions...by using simple user/pass pairs one might ask, if they are putting their own customers at risk on purpose?! In my opinion this borders on gross negligent!
Secondly, it seems to me, that the interested CAs in the CA/Browser forum simply found reasons and an easy way in order to justify the selling of over-priced digital certification by whining about pishing attacks on eBay and Paypal. But by introducing special color schemes at the browsers, smaller businesses will be more and more under pressure to purchase the same, otherwise he might loose business...and all this on the pretense, that EV is more trustworthy....
It doesn't have to solve the problem completely to be worth doing, and it doesn't have to be used by other sites to be valuable for your site.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
