Reponse embedded below.... > -----Original Message----- > From: William X Walsh [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 04, 2001 5:13 PM > To: Darryl Green > Cc: [EMAIL PROTECTED] > Subject: Re: GeoTrust/QuickSSL and the meaning of Certs > > > Tuesday, Tuesday, December 04, 2001, 1:29:24 PM, Darryl Green wrote: > > > I don't want to generate a huge discussion about the validity > of the browser > > recognition claims but I do find the 90%+ a little difficult to > swallow. I > > would however like to know if that's important to you or not. > > No, it's really not. > > > 2) More importantly I would like to discuss the meaning of SSL: > > QuickSSL certificates do not verify identity. The fine print on > the QuickSSL > > certificate acknowledges that this is the case (Organizational Unit not > > Validated -- or some such language appears)
Identification is not completed to the same degree as traditional Web Certificates The CPS States -- "GeoTrust will verify that the Subscriber had the right to use such Domain Name at the time it submitted its application." --- This is not identity. It also acknowledges "GeoTrust will insert an Organization Unit field "Organization Not Validated" or similar language for all QuickSSL Web Server Certificates." No matter though.. the more important conversation is whether or not that 'identity' component is important. > > Sure they do, they verify it to the same standard that DOMAIN > REGISTRARS like Tucows do for transfers of domains. If this standard > is ok for domain transfers, then it should be ok for SSL Certs. This is not exactly the same thing. The 'True' identity of the counterparty in a domain name transfer isn't all that important. The important item is that 'Whoever-it-is' needs to have control of the domain name for the purposes of transferring it. The Admin contact is the de facto owner of the domain and has the right to control its transfer (it doesn't matter if the e-mail address is [EMAIL PROTECTED] and the contact info says First Name: Darth, Last Name: Vader). However, if you are going into a contract of sale for that domain name, the contract of sale has to be with real individual (person or business). You shouldn't contract with an Alias. You will never be able to enforce it. An e-commerce transaction is more analagous to the contracting process than the transferring process. > Once > the domain has changed hands in a transfer, getting a cert for it > would be easy. There is no inherent benefit of the other CA's > practices in this regard over Geotrust's. True if you are always dealing with already trusted entities. If I am giving my payment to an Amazon.com web site and get confirmation e-mails from [EMAIL PROTECTED], i have good evidence that shows that my transaction was with Amazon and I know who controls the domain name. If I am dealing with an unknown entity, the situation is different. If I order a set of Pirelli tires from HayBobs.com (no slight intended if haybob really exists), I forward payment and then never receive my tires. Hay Bob doesn't really exist, none of the contact info in the whois is legit. I have no recourse. If I gave them payment over a secure connection... I know who he is and can seek recourse. I therefore think that abandoning or diminishing the identification verification portion is short-sighted (I am using the pronoun 'I' intentionally - not everyone within Tucows feels the same way I do about this - truth is it's a bit lonely on this island right now). It will serve to increase the consolodation of e-commerce by putting even more emphasis on the brand of the e-commerce site and will prevent the use of the Internet for purchase of higher dollar value transactions among strangers. > > > been speaking with a member of the WebTrust standards making > body. He (and > > assures me others on the body) are very disturbed by the > QuickSSL offering > > and (I quote) will work 'quickly and forcefully' to stop it. > This will be > > accomplished by insertion of minimum verification requirements in the > > WebTrust Standard. > > I bet they are. This presents a serious threat to the "old style" way > of doing things, and threatens to turn the entire SSL Cert market on > its head. I bet they want to stop it. It's true that there is alot of self-interest to wade through (you and I both have it as well). However, on balance, I believe that for the Internet to become the dominant means of transferring goods and services of all values there will have to be a means of binding off-line identity with on-line identity. This will be necessary for dispute resolution. Ultimately, maybe this will be through association in buying groups (old EDI model), maybe it will come through Trusted Third Parties (CA model) that verify credit risk, business history, as well as identity, maybe it will come through participation in an on-line marketplace where the users police each other for compliance with the rules of the marketplace (Ebay model), or maybe something else. However, if we take away the 'identity' portion of a web certificate we ensure that this will never become the means (guess that explains the self-interest of the certificate vendors). I should add that I've yet to be fully convinced in any direction yet which is why i'm hoping that a good vibrant discussion evolves around this. > > I say screw 'em. Fair enough, but we can't ignore them. Microsoft has stated that they will revoke the browser root for companies that don't pass the WebTrust audit. > > > Their concern (and my concern too) is that the industry has > been working to > > explain the meaning of web certificates and that little lock in > the browser > > to the public. > > They are trying to make it mean more than what the concerns take it to > mean, and that is plain BS. > > > A big portion of that message is that end-user identity is > > established. QuickSSL is offering a new type of lock that does > not certify > > identity. > > Bullocks. The identity is verified to the same standard required by > domain registrars. > Bullocks...Good word! Have you been watching re-runs of MASH? > > -- > Best regards, > William X Walsh <[EMAIL PROTECTED]> > -- > Webcertificates.info > SSL Certificates for resellers from $49ea >
