Hi all!
> Many public CAs suggest Extended Validation for certificates
> of web servers. [...] I had a talk with a specialist
> of technical support of Thawte [...] He also refused
> to answer how browser determines what bar to display -
> green or yellow?
See thawte Certification Practice Statement, Version 3.3[1], at
page 96 in the PDF (section D. EV CERTIFICATE CONTENT AND PROFILE)
7. EV Certificate Policy Identification Requirements
(a) EV Subscriber Certificates
Each EV Certificate issued by thawte to a Subscriber will
include thawte's EV OID in the certificate's certificatePolicies
extension. thawtes EV OID used for this purpose is
2.16.840.1.113733.1.7.48.1
Wikipedia has a list with links to other CA EV OIDs in the page
Extended_Validation_Certificate[2].
Interesting would be to have some non-Thawte certificate with
2.16.840.1.113733.1.7.48.1 - I think depending on the check
implementation it could happen to appear green...
> Vladimir Belov: If you say that "the SSL Web Server
> certificate would have the same properties, extensions, etc, that
> our Extended Validation certificates "
> Clifford: Unfortunately that is information that we cannot disclose.
> Vladimir Belov: Why? :)
> Vladimir Belov: Is this so secret?
> Clifford: That is correct.
I consider this unacceptable. This is not just "Security through
obscurity" [3], because the "Certification Practice Statement" in my
opinion MUST NOT be secret. Interestingly, I had to use the Thawte
web search function to locate the document, I think it better should
be easy to find. Trust is all about believing that CPS are strictly
followed -- and that they are sufficient for customers need.
So they must be available I think.
I'm afraid this shows how uninterested users are in trust...
Regards,
Steffen
[1]
https://www.thawte.com/assets/documents/repository/cps/Thawte_CPS_3_3.pd
f
[2] http://en.wikipedia.org/wiki/Extended_Validation_Certificate
[3] http://en.wikipedia.org/wiki/Security_through_obscurity
--
End of message.
About Ingenico: Ingenico is a leading provider of payment, transaction and
business solutions, with over 17 million terminals deployed in more than 125
countries. Over 3,600 employees worldwide support merchants, banks and service
providers to optimize and secure their electronic payments solutions, develop
their offer of services and increase their point of sales revenue.
More information on http://www.ingenico.com/.
This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you must
not use, copy, disclose or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you for
your cooperation.
P Please consider the environment before printing this e-mail
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
