Robert Sayre wrote:
I don't see a financial incentive to prevent that from happening again.
Is there one?
If the CAs don't pass the EV audit, then the browsers issue a security
update which stops that CA's certs triggering the EV UI. Whereupon all
their customers shout at them loudly, and decamp for other CAs.
Because they would then be differentiated from existing certificates
which don't provide the sort of protection etc. etc.
My understanding is that they don't provide additional protection from a
technical perspective. They only indicate a different social procedure.
Yes. What's your point? There's no need for additional technical
protection; SSL is a good and secure techology. Technical protections
are not what CAs do; their entire job is "social" (in your terms).
We should be skeptical that they will work as planned, since there is no
track record of success.
Neither is there for anything new. Read the draft. Do you see any reason
why it shouldn't work as planned?
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
