Eddy Nigg (StartCom Ltd.) wrote:
Gerv, I think you are concentrating too much on what Level 2 means,
instead of trying to see the whole picture first and which problem the
proposal tries to solve. But here a few thoughts about "Level 2", since
you are insisting on it. First a few facts:
- This type of certification is the most common after domain validated.
It's also entirely unregulated. A CA can claim that they do identity
validation, but there's no way of knowing exactly what they do and how
effective it is.
- EV will not be the replacement of "anything higher than domain
validated". According to estimates from various sources (including
Verisign), EV will be used for between 1000 and 4000 sites, or about
*one percent or less *of all issued certificates today.
Do you have a source for these estimates? I think it's rather unlikely
that the CAs collectively would have had seven or eight on-site meetings
over three years, and devoted so much time to the effort if the total
potential income from EV, shared between all of them, was between $500K
and $4M.
(No, this is not an excuse to rant about the cost of EV. I mention this
only as one reason why I think your estimates are unlikely, not because
"EV is all about the money" or anything like that.)
Now, it really depends what you can do with this second Level. And it is
a decision which depends on the user mostly. However the user must
receive the correct indications and/or information to make a decision,
which he today most likely can't.
I don't understand how what you are suggesting would work out in
practice. It seems to me that you end up somewhere between these two
extremes:
1) Tell the user "The CA has taken the following eight steps to verify
the identity of the owner of this website. Using your skill and
judgement, decide how effective you think those steps would be at
identity validation, and then decide whether to use your credit card here."
2) Tell the user "Yes, you can use your credit card here".
Of course, there are many stages in between. But, as you are saying "the
user must receive the correct indications and/or information to make a
decision", it seems you are closer to 1) than 2). Would that be fair?
The problem with anything anywhere near 1 is that the user is absolutely
unqualified to make such a judgment. It's the equivalent to the
following scenario.
Say you want to go somewhere on a bus. There are two competing companies
serving the route. You are told "Bus safety is entirely unregulated. Bus
company A has the following maintenance and safety procedures. Bus
company B has this other set of different procedures. Which would you
like to travel with?"
Certification is about Identity validation and one shouldn't forget
that. No level, including EV, does promise you safeguard of your private
information or prevent misuse of your credit card details.
Only insofar that if you know a lot about a person, they are more likely
to deal with you honestly.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
