Eddy Nigg (StartCom Ltd.) wrote:
If you would like particular alternatives explicitly named, we may be
able to do that. Please let me know exactly what.
>
For example Mozillas own CA policy would be a good start.
No, I mean particular alternative audit scheme (such as ETSI). Did you
have one in mind?
4) c) 1) says "related to their respective performance and obligations
under these Guidelines"; so it's just for EV.
May I suggest to make that perhaps in relation to a ratio of issued
certificates, something like from 0-1000 issued certificates X
insurance, from 1001 - ....and so on...
I don't understand what you are asking for here. The insurance
requirements apply only to EV. So it's irrelevant how many certs of any
other type the CA issues. And you need the same level of insurance
whether you are issuing 1 EV cert or 10,000. However, your premium may
be different if you issue more, I don't know.
Obviously a very small number of businesses will
acquire EV certificates,
Why is this obvious?
Overhead operational costs and requirements such as physical check of
the premise will make this type of certification certainly expensive, so
expensive is a relative term...Additionally many businesses will have
difficulties complying to every criteria.
Which criteria do you think are particularly difficult, and how would
you change them?
So is "reasonable" verification good enough for a user to hand over
their credit card details? If so, what's the point of level 3? If not,
what's the point of level 2?
It depends on the user and not on your personal opinion. It depends
which information the user is going to share with the site operator and
what is the behavior of the user generally perhaps. People share this or
other information every day with a cab driver, restaurant, on-line shop
and who not...For user A reasonable verification might be enough whereas
for user B it's not. What do you know about a cab driver somewhere? Our
position is, to give the user enough information in order to make a
personal judgment, not deciding for the user what is good for him and
what not!
But a user does not have any basis on which to make that judgement.
Take my mother. She comes to a website where she wants to buy $100 worth
of clothes. (Let's say, for simplicity, that she knows how much stuff
she wants to buy before she even starts, which is unusual.) Should she
accept "reasonable verification" or not? How should she decide? What
information should she use, and in what way should she process that
information to arrive at a decision?
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
