Hi Ben, Ben Bucksch wrote:
EV (just like SSL) bases on the idea that users will pay attention to it, that they'll notice the change from usually green to now white when doing online banking and be alerted and halt.If this assumption turns to be out correct, than imagine the potential damage to a subscriber until he gets a new certificate from a different CA. Which leads me to something else....
I believe - so I don't know this for certain - that currently no well defined policy exists at Mozilla for removing either a CA or eventual EV support. This is something which has to be clearly defined and _procedures should be implemented_ on how, when, why and if any of these can be performed.If you disable EV for a specific CA (could we do that), how is that different from today? That the change is more subtle, less annoying.
However under such a scenario it is most likely, that the CA will fall most of the time, if not always, into a grey area, by having performed some steps and some maybe omitted. Now Mozilla would need actual facts about the omitted validation procedures or shortcomings by the CA, information to which Mozilla doesn't have access to! Without these facts, Mozilla would have extreme difficulty justifying such a step as removing a root or removing EV support eventually!
Also likely, that only a very small number of wrongfully issued certificates or those with incomplete verifications will surface, making it even harder for Mozilla to do anything - specially when the size and "importance" of the CA is higher. After how many dubious certificates should anything happen? What does Mozilla have to prove and what are the options of the CA?
But imagine now, that a company received an EV certificate and this very company turns out to be a real crook....The CA most likely has performed the verification correctly according to the guidelines (which turned out to be much more "flexible" than I thought) under such circumstances, but because of the _wrong expectations EV raises_, the damage to relying parties could be much higher then usual! And there is nothing Mozilla can do about! And EV and the browser vendors will become the laughing stock of the Internet news sites...
And it doesn't help that one can sue this company, because it closed down in the meantime and the owners are having a good time on some nice Island! There is also no insurance money to take, because the CA performed the validation according to the guidelines. But the expectations are raised today tremendously, mainly by Microsoft and the various CAs themselves, way beyond what they are and what they can provide...and this is just another argument, why there shouldn't be any special treatment of EV or any other standard put forward by some interest group - at least for now!
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
