Eddy Nigg (StartCom Ltd.) wrote:
Hi Gervase,
Gervase Markham wrote:
Alternatively, we could start again with a new UI indicator, this one
actually backed by an objective standard and a minimum level of
vetting. Which is the idea behind EV.
May I suggest an idea / proposal for a real improvement for the UI in
conjunction with SSL certification, which perhaps will help the casual
user best:
<snip>
This proposal has already been made in the context of the forum. (As a
CA, I would suggest you consider becoming a member and putting your
feedback in that way, rather than through this group.)
At the low end we have "Domain Validated" certificates and at the high
end will be the proposed EV certificates. Both of them have a place in
the SSL landscape, specially if used for the correct purposes. But there
is also a range in between, which seems to be thrown together with the
lower end.
Absolutely - and quite right too. The vetting procedures which apply to
this middle ground are secret and proprietary, and have never been audited.
When we looked at the current problems 2 years ago, the browser makers
had a choice of trying to find out everyone's procedures and work out
which ones were "good" and which were "bad" (a Herculean task) or
defining a new, public, higher standard that CAs could choose to adhere
to or not. We chose the latter; no browser maker seems keen to revisit
that decision.
1.) White address / tool bar and padlock ON for Domain / Email validated
only (Class 1).
2.) Yellow address / tool bar and padlock ON for Identity / Business
validated (Class 2 & 3).
3.) Green address / tool bar and padlock ON for EV certificates (Class 4).
What benefit is there to users of having a more complex system such as
this? EV _is_ Identity/Business validated.
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
