Eddy Nigg (StartCom Ltd.) wrote:
Gervase Markham wrote:
- Someone will buy a level X cert, but the UI will say it's the same
as level X - 1, and so they will be upset that they've wasted money
>
I don't think it's your job (Mozilla) to take care of eventual business
models of the CAs. Let them take care of this.
So if Mozilla is not showing a particular level, and the CAs are not
selling certificates at a particular level... what's the point of having
the level?
Yet five levels is complex to indicate.
Level 0 is already handled by the UI. We have to find a solution for the
other three or four levels.
Four levels is also complex to indicate. Three (something like
"nothing", "shop", "bank") is possible, but has also been objected to as
too complex. I personally think three is the sweet spot.
Definitely something for the lawyers, in that it would fundamentally
change the relationship between CA and browser. Currently, we have no
contract, and so no obligation to continue including the cert. A
contract would probably have commitments both ways, implied if not
explicit.
>
No! The Mozilla CA policy says clearly, that there is no commitment and
a CA root can be removed. It's part of that contract anyway! No problem
here...
It says that; that doesn't necessarily mean a CA wouldn't win a lawsuit
if we removed their root and they sued. There may be an implied contract.
We both agree that it's one for the lawyers; my point is only that you
cannot assume that we can definitely have a one-sided contract with a CA.
They are *not* audited to make sure there's a minimum level of
validation.
>
Wrong! The audit confirms every type of levels, classes and
verifications a CA performs (implied by the CA policy and practices).
Your first statement contradicts the second one.
No contradiction. Focus on the word "minimum". If you say you will do no
verification at all, and you actually do no verification at all, you
pass the audit.
You are saying the same about EV, my friend! Exactly the same...You
promoted EV while taking the UI out of the discussion. EV doesn't
provide or suggests the UI, neither does my proposal - with the
difference, that my proposal tries to solve *all* SSL, not just a small
part of it - if at all!
The difference is that your proposal is not an attempt to improve the
(in my view, poor) quality of information embedded in current certs -
it's just an attempt to assign a set of numbers to the status quo.
Do you have a source for these estimates?
>
Verisign.
A public source? A URL?
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
