Hi Grev, Thanks for this useful answers and clarifications. Most of it answered our questions! Below some additional answers so... > > ...and open to any CA which has roots in major browsers and issues > certificates to the public. > You do not have to issue EV certs to be a member. EV is not the only > issue the CA/Browser forum plans to tackle. The StartCom CA has applied for membership. Thanks for your help on this... > >> It is regrettable, that there is explicitly >> the mentioning of "WebTrust" instead of "a neutral and competent 3rd >> party" or allow for alternatives such as ETSI. This monopoly isn't >> really healthy and doesn't reflect the Mozilla CA policy! > > It does allow for alternatives; it says "or an equivalent for both (i) > and (ii) as approved by the CA/Browser Forum;". We can't just say "a > competent 3rd party"; that just begs the question as to who would > define "competent"? Who decides what equivalent means? Alternatives is a good thing as it provides additional appropriate options and doesn't leave the whole issue in the hands of ONE body. Personally I see various dangers, if this would be the case! I suggest, that Mozilla stands for these alternatives as its own CA policy defines and suggests! This is a very important point in our view! Please make sure, that this actually happens! > > If you would like particular alternatives explicitly named, we may be > able to do that. Please let me know exactly what. For example Mozillas own CA policy would be a good start. > > 4) c) 1) says "related to their respective performance and obligations > under these Guidelines"; so it's just for EV. May I suggest to make that perhaps in relation to a ratio of issued certificates, something like from 0-1000 issued certificates X insurance, from 1001 - ....and so on... > >> Obviously a very small number of businesses will >> acquire EV certificates, > > Why is this obvious? Overhead operational costs and requirements such as physical check of the premise will make this type of certification certainly expensive, so expensive is a relative term...Additionally many businesses will have difficulties complying to every criteria. > > So is "reasonable" verification good enough for a user to hand over > their credit card details? If so, what's the point of level 3? If not, > what's the point of level 2? It depends on the user and not on your personal opinion. It depends which information the user is going to share with the site operator and what is the behavior of the user generally perhaps. People share this or other information every day with a cab driver, restaurant, on-line shop and who not...For user A reasonable verification might be enough whereas for user B it's not. What do you know about a cab driver somewhere? Our position is, to give the user enough information in order to make a personal judgment, not deciding for the user what is good for him and what not! > > Except that they would have no clear guidance about what actions they > should take based on those colours. Should they, for example, only buy > from a merchant with a Level 2 certificate if they are feeling > particularly lucky that day? That's the users judgment! The CA and browser vendor should provide the information about it (which today is currently lacking anyway)
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security