Peter Gutmann wrote:
Ian G <[EMAIL PROTECTED]> writes:
In the below, John posted a handy dandy table of cert prices, and Nelson
postulated that we need to separate high assurance from low assurance.
Leaving aside the technical question of how the user gets to see that for
now, note how godaddy charges $90 for their high assurance and Verisign
charges $349 for their low assurance.
Does anyone have a view on what "low" and "high" means in this context?
Given the universal implicit cross-certification model used in browsers,
mailers, etc etc, the only things that "Low" and "High" apply to are price,
not assurance.
(UIXC means that all certs are implicitly trusted equally, which is the same
as having all CAs cross-certify all other CAs. The effect of either
implicitly or explicitly doing this is that all CAs are only as secure as the
least secure CA, and the only certificate that it makes any sense to buy is
the cheapest one).
I understand that part. But let's say that we wanted to
*expand* the binary security model (your UIXC) into a
2 tier model, or a ternary security model.
That is, have the browser display "low" and "high" by
some method ... because, by way of hypothetical example,
some low assurance certs are clearly inadequate by some
measure for some purpose.
(The method is unimportant for the discussion; it could
be a tick and two ticks, or a smiley and a grin...)
Would then there exist anywhere a suitable definition
of what the difference is between "low" and "high" ?
Something to hang ones hat on? Something to differentiate
the meaning when poor Alice sues Trent for being phished?
Or is this merely a distinction in adspace only? Just a
way to separate more dollars from Alice?
(And, as a detailed later question, how come godaddy's
"high" is a quarter of the price of Verisign's "low" ... !)
Indeed, what does "assurance" mean?
You are assured that your credit card will be charged before the certificate
is issued.
Peter.
:-)
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
