Re: Extended Validation Certificates

Tue, 07 Nov 2006 07:40:22 -0800 

Eddy Nigg (StartCom Ltd.) wrote:

Heikki Toivonen wrote:

Since IE
has the first(?) UI for EV certs, other browser manufacturers have some
incentive to follow their lead unless they can think of something
obviously better.

As someone else pointed out, Mozilla should lead, not follow. That's the
reason for our proposal...And what if Microsoft follows the lead of
Mozilla thereafter?



But we should only lead where we think a particular innovation is 
actually better. We should not be different just for the sake of being 
different.



Even though I consider myself security savvy, I'd rather not deal with
multiple levels in the browser myself.

Nobody asked you to do this. There are very capable people at Mozilla
who have the knowledge, background and technical skills to deal with
that...Otherwise you'd rather not build a browser with SSL capabilities!



He means as a user, he would rather not deal with multiple levels in the 
UI. And Heikki is, as it happens, one of the "capable people at Mozilla 
who have... etc.".



There are various other valid standards for CA's and nothing, but
nothing will change the role of the browser vendor in this respect. EV
is just another standard! Auditing was always a job of a third party and
I don't see anywhere in the current CA policy, that Mozilla is supposed
to do the auditing. Nothing will change in that respect!

    

You say that like standards have no value, and are all just useless
pieces of paper.

  

What did I say?



To rephrase him: "You are speaking as if standards have no value, and 
are all just useless pieces of paper."



I don't know, but because of market share giving a certain CA a green
card is the wrong message perhaps! Or do you want examples from me,
about the "CLICK TO CONTINUE" certs and issued wrongfully to "Microsoft,
Inc." by this very same CA? Obviously they didn't perform according to
their own policy, else this wouldn't have occurred!



So you would be happy for your own CA to be held to a 100% correct 
issuance standard? That is, if you issued one certificate incorrectly, 
you would be immediately and permanently removed from all browsers 
everywhere?


Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security























					Reply via email to