Hi Gerv, Gervase Markham wrote:
But which I predicted a while ago...As suggested previously, this is mostly a marketing ploy, since the EV procedures can be performed with or without a CA/Browser forum. I guess, the prices will rather go up, if Mozilla goes along with the green carrot...Just to be clear: They are not _intended_ to cost $1000/year upwards;
The procedures suggested by the EV guidelines are, if implemented and performed correctly, pretty safe...Obviously verification of the address and phone number by third party sources is only one of the steps suggested. As for example with StartCom Class 2 certificates (so called "reasonable" verification), it doesn't matter which phone number the subscriber provides (that's just a convenience), but for verification purpose only third party sources are considered and checked, together with other material about the entity...I don't think, that this is an issue and there is no loophole...I don't think any information source would confirm that your address belonged to eBay.
This whole thing has lots of loopholes. Given the experience and market pressures, we have to assume that the CAs use the absolute minimum and cheapest standards that still pass the guidelines, and they'll automate as much as possible.
That's of course another story...
If this forum wouldn't have been a monopolistic organization, this would have been even positive...But then again, I would like to see these various CA's promote the EV standard without the green address bar....Guess what: They'd disappear faster than you can see...So if, for example, someone gets an EV cert and uses it for phishing, we can analyse how they did it and tighten up the guidelines to close the loophole. With the previous, different-with-every-CA, ad-hoc procedures, that sort of thing wouldn't have been possible.
Well, there must be a distinction between subscriber and RP. It can't be both....Per subscriber it's 2K, per RP it can be hundreds of 2K! So as it currently states, the CA can choose whatever interpretation it prefers...Make your own conclusion...it says "$2000 per Subscriber or Relying Party per EV Certificate". This means that if ten people are ripped off, they can claim $2000 each.
Huuu? Got this dropped? It used to be in the guidelines!? Well, if this is the case, then it's not even worth considering the EV certs anything else than Class 2. The site visit was also the major expense for the CA I predicted....If this is not a requirement anymore, then I can't help and ask, why should EV certs be better then lets say any other "reasonable" verified certificate?One draft of a precursor document to the EV guidelines included a requirement for a site visit, and that you had to meet up with the applicant and take a photo of them with their government issued ID, and record the number thereon. I still think this was a great idea, but unfortunately I was not in a majority.
Really? There's no way any CA could make money doing this at $100 a cert. In the US, there are networks of companies which will do site visits and this sort of verification for you, but in other countries, there aren't. Such a visit would cost several hundred dollars to have performed.
Oh...here is the site visit again...There is something I'm missing here... -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
