Gervase Markham wrote:
Eddy Nigg (StartCom Ltd.) wrote:
That's right! But the audit confirms exactly that (in your example,
no verification). The CA will have to mark its certificates compared
to its policy which was audited accordingly.
Why will they "have to"?
Because they would like to have their certificates detected accordingly.
If there is no OID, then the browser doesn't no what to do and probably
mark it as the lowest level by default (Just a suggestion - it could
also state, that it doesn't know the assigned level, be careful!).
Who is the policeman?
Gerv, please answer me this questions here, I'll wait for your answer:
Ar you a policeman today? Will you be a policeman with EV?
And, inevitably, there is a certain amount of judgment involved in
deciding whether a particular set of practices meet a particular
Mozilla "level".
I simply don't think, that this will be an issue at all. The levels will
be defined clear and understandable. A CA will be able to judge, if he
does A, B, C for level X, if not he goes down one level and checks if he
does A and B etc....CAs are not idiots....they can handle that...
Who arbitrates when there's a dispute?
Who arbitrates when there's a dispute today?
And I've pointed out several times that this URL is factually
inaccurate, and bad reporting.
Not in respect to the expected percentage of EV certificates. Verisign
never disputed this, but other parts of this interview!!!!
Actually, I'm afraid I might have to quibble even over your attempt to
find common ground. :-(
Well, I think there is quite some common ground here. I don't need to
find it, it is here....maybe because it is the right thing to do?
EV is indeed an attempt to strengthen identity verification.
Which is a nice thing, really! A very noble goal, however thorough
identity validation exist already. It's just more of the same in a new
color...(Green was suggested ;-))
His suggestion is that CAs self-classify their existing offerings into
one of 4 categories.
Therefore the reason I object is that it seems to me that, in the face
of the new consumer-level identity spoofing threats which were not
present for the first ten years of the life of SSL, _none_ of the
current practices are sufficient.
Huuu? "new consumer-level identity spoofing threats"??? LOL
Gerv thinks, that EV is a new invention....Please read a few CA policies
and practices and you'll find EV all over...Class 3 validation and
higher exists and current practices exist! All it needs is, that
browsers know to differentiate between the various verification
procedures...this is what is insufficient!
Both of these are the names of banks. The organisation which obtained
these potentially confusing certificates (to prove a point) didn't
even have to lie to get them. I'm sure those willing to stretch the
truth a bit more could achieve "better" results.
The certificates in questions are most likely domain validated. They
won't go away! That's one of the reasons for our proposal, e.g. the
relying party has to know about this. Of course he should also know
about other verifications (i.e. higher levels as well). You can't force
them to buy "green certificates" and they'll continue using the low
level certificates (As a matter of fact, we had to issue many domain
validated certificates to financial institutions - so we have special
requirements for them, they are still Class 1 labeled). The relying
party has to know about it...and by repeating myself, it's our duty to
make the relying party aware of the type of verification. This is what
our proposal will fix!
Just for your interest, I proposed a UI to take advantage of that fact
a while back; I called it "New Site" or "First Visit":
http://www.gerv.net/security/phishing-browser-defences.html#new-site
Which is what Ben Buksch calls "SSHing the browser". So this should be
implemented, it's not connected to this proposal (Ben specifically asked
not to tackle this right now)
absent the desire of the Mozilla Foundation to play "CA Cop" and spend
ages evaluating the different procedures of all the CAs, all we can do
is lump all existing "organisationally-validated" certificates into
the same "identity not sufficiently verified" category.
Bullshit...you are repeating this, even so you have received answers on
this...To "lump all existing" into one category is what browsers have
wrongfully done since they exist!!! We are going to change this! That's
exactly the wrong...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
