Peter Bowen via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
>I have to admit that I'm a little confused by this whole discussion. While >I've been involved with PKI for a while, I've never been clear on the >problem(s) that need to be solved that drove the browser UIs and creation of >EV certificates. Oh, that's easy: A few years ago certificates still cost several hundred dollars, but now that the shifting baseline of certificate prices and quality has moved to the point where you can get them for $9.95 (or even for nothing at all) the big commercial CAs have had to reinvent themselves by defining a new standard and convincing the market to go back to the prices paid in the good old days. This déjà-vu-all-over-again approach can be seen by examining Verisign’s certificate practice statement (CPS), the document that governs its certificate issuance. The security requirements in the EV-certificate 2008 CPS are (except for minor differences in the legalese used to express them) practically identical to the requirements for Class 3 certificates listed in Verisign’s version 1.0 CPS from 1996 [ ]. EV certificates simply roll back the clock to the approach that had already failed the first time it was tried in 1996, resetting the shifting baseline and charging 1996 prices as a side-effect. There have even been proposals for a kind of sliding-window approach to certificate value in which, as the inevitable race to the bottom cheapens the effective value of established classes of certificates, they’re regarded as less and less effective by the software that uses them (for example browsers would no longer display a padlock for them), and the sliding window advances to the next generation of certificates until eventually the cycle repeats. That was written about a decade ago. As recent events have shown, it was remarkably accurate. The sliding window has just slid. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy