Hi Gervase, Gervase Markham wrote: > Indeed. That's merely a statement of fact. And I'm sure removing > Startcom as a CA would break some proportion of sites as well. The > fact that we only have this "nuclear option" as a sanction is > definitely a problem - and one that EV can help solve. I agree with you, that this is a problem. However the option should exist - and considered - if needed...even if it's ABC CA with 99% of market share... >>> As I'm sure Verisign does also. >> Sure, however issuing a Class 3 certificate to a company or individual >> called "CLICK YES TO CONTINUE" simply shows something extremely broken. >> This is not a "domain validated" cert, but Class 3 code signing! And >> this didn't happen in the nineties, but just recently...I don't >> know....Verisign is not my business, but if somebody would have looked >> even once at this request, before CERTIFYING, this simply could not have >> happened! So much about that... > > So it seems we need standards for who one issues a cert to, not just > how one does it. Hang on, didn't we just write some of those? Well, if you really believe, that there indeed was a company called "CLICK YES TO CONTINUE", then I can't help you... :-)
>> As suggested previously, the Mozilla CA policy would provide such >> alternatives. > > We are going round in circles here. WebTrust are writing new > guidelines for auditing EV. If you want some alternative audit > criteria, you need to name them specifically (if they exist already) > or suggest who should write them. The Mozilla CA policy is not a set > of EV audit criteria, it's a CA policy for a browser manufacturer. Sorry, perhaps I didn't made myself clear enough...The new guidelines for auditing EV by WebTrust might be just perfect, but the problem is the monopoly of authorized auditors by WebTrust. This is, where the Mozilla CA policy provides alternatives, which is from our point of view very important. > >> Right, it's a CA related challenge...Obviously I'm looking at it, how a >> CA (including us) is going to comply with it...And what if there is no >> trustworthy agent available in that region? Quite obvious the CA must >> send somebody in to do this job. However this drives the costs upwards, >> which the client has to pay. In such a case, the client might prefer not >> to make the deal and the CA is going to loose business...or being very >> attempted to skip this requirement! I'm very skeptical about this one, >> because if a standard is set too high, it will be circumvented when not >> convenient! Simply as that... > > ...and the CA may well fail its audit. I'm not sure about this one! An audit is a current snapshot of the conduction of the CA business and its practices and procedures in place. It can't say anything about the "Before" and "After". Therefore a policy and/or standard has to be realistic in order to be adhered to, otherwise as I indicated, it might be circumvented when convenient....Most likely you will not know when this happens 99 % of the time...A risk a CA might take in order to make better business... >> Really? Are you buying anywhere without checking from whom and what you >> get? What are the guaranties you receive? What if you don't receive the >> goods? I don't think, that your argument is correct... > > So when you visit an SSL site to buy something, you read all the > certificate contents before proceeding with the purchase? Every time? Well, personally I'm not a good example really...I'm not that objective as a manager of a CA. However it depends on the nature of the site (e-commerce or not) and indeed one should be bothered at least once with the details of subscriber. As I suggested, this should be either easy to reach and/or in a pleasant and informative manner. >> http://www.benedelman.org/news/020305-1.html >> http://www.benedelman.org/spyware/images/installers-020305.html > > While these are misleading, and probably undesirable, I don't think > they could be called bogus. (Unless, perhaps, there isn't a company > called "Click Yes to Continue" - but why couldn't there be?) > Otherwise, all of them show the name of the company concerned. > > The fact that the dialog presentation sucks is an IE UI issue. Well, I meant the company called "CLICK YES TO CONTINUE", not the rest.... -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
