Gervase Markham wrote:
- Someone will buy a level X cert, but the UI will say it's the same
as level X - 1, and so they will be upset that they've wasted money
I don't think it's your job (Mozilla) to take care of eventual business
models of the CAs. Let them take care of this.
Yet five levels is complex to indicate.
Level 0 is already handled by the UI. We have to find a solution for the
other three or four levels.
(or are we doing that bit by asking the CAs to include new OIDs?)
Yes, Gerv! It's in the proposal and it was explained various times by now...
(which still has to be defined in any case. Completely missing or
irrelevant from current policy).
Actually, it's rather important.
Agreed! So this is separate issue which has to be solved anyway. It's
not connected to this proposal.
EV addresses this problem too;
EV addresses only a small part of the overall brokenness of SSL in
software which supports it and leaves everything broken. It doesn't
provide an overall solution at all, which it should have. But this is
not the goal of EV, since EV is a business plan. It might hurt the
SSL/browser pair more in the long term.
Definitely something for the lawyers, in that it would fundamentally
change the relationship between CA and browser. Currently, we have no
contract, and so no obligation to continue including the cert. A
contract would probably have commitments both ways, implied if not
explicit.
No! The Mozilla CA policy says clearly, that there is no commitment and
a CA root can be removed. It's part of that contract anyway! No problem
here...
Yes. As I've explained several times (and as you know) they are
audited to make sure they comply with whatever their policies are.
Exactly!
They are *not* audited to make sure there's a minimum level of
validation.
Wrong! The audit confirms every type of levels, classes and
verifications a CA performs (implied by the CA policy and practices).
Your first statement contradicts the second one.
Oh come on, Eddy. Are you telling us that there's any possibility that
we'd do all this work and then _not_ differentiate in the UI?
You are saying the same about EV, my friend! Exactly the same...You
promoted EV while taking the UI out of the discussion. EV doesn't
provide or suggests the UI, neither does my proposal - with the
difference, that my proposal tries to solve *all* SSL, not just a small
part of it - if at all!
Concerning the work involved, our proposal doesn't require one iota more
of it than yours:
- You will have to extend the Mozilla CA policy anyway in both proposals
and...
- You'll have to add detection of an OID anyway in the NSS library and....
- You are going to change the UI anyway.
Then what is to prevent the CA claiming it does lots of verification
and then actually doing none?
CA policies and practices are the legal contract between all parties
involved. If a CA doesn't adhere to its own policy an affected party can
sue them. But with our proposal the browser at last defines what these
verifications are and bind the CAs promises to it. Anybody wishing to,
will know what the verifications mean.
*It's also entirely unregulated.* A CA can claim that they do identity
validation, but there's no way of knowing exactly what they do.
Exactly Gerv, I see you start to get it....This is why we are going to
define it so we *know* exactly what it means. That's all the reasoning
behind it.
(More in depth, Mozilla provides the definition and framework and the CA
uses this definitions to rate their procedures. Then we all know what
the deal is.)
Do you have a source for these estimates?
Verisign.
I think it's rather unlikely that the CAs collectively would have had
seven or eight on-site meetings over three years, and devoted so much
time to the effort if the total potential income from EV, shared
between all of them, was between $500K and $4M.
It is. Every year. Its income will be close to all certificates combined
today. They don't care, if there are free or low cost certification if
they can make a buck out of one percent of them. But not all of them
will make it...
(No, this is not an excuse to rant about the cost of EV. I mention
this only as one reason why I think your estimates are unlikely, not
because "EV is all about the money" or anything like that.)
Except that it is ;-)
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
