Hi Dan, Dan Veditz wrote:
Well no! CA's did in the past and today offer thorough identity verification (personal and organizations alike), but it's the _subscriber_ who is making the decision here. This is also true for EV certification and nothing will change in that respect! A rare minority would buy EV, without the green incentive...So it's not the CA not offering thorough validations, but the subscriber not willing to pay for it!Yes, they could but the presentation in the browser is exactly the same whether they do or don't. Why would they bother doing it the hard way? More and more CA's are apparently asking themselves that question.
And obviously EV will not prevent pishing of the "big" web sites, for various reasons. First because pishing sites mostly don't use SSL to start with, second the green address bar has also its drawbacks...which will resolve in the same way as the padlock! We aren't living in a perfect world and user education is a major problem!
More than that, current anti-pishing functions now found in most browsers and mail clients are much better in preventing pishing attacks! I think, that on this forum most agree with the fact, that EV is not going to be effective nor the front line of defense against pishing....
Additional thoughts are, that nobody should blindly follow through on a purchase or sharing of sensitive data without coming to a conscious decision - even if EV validated or similar. Because validation of the identity doesn't guaranty to anybody, that this entity will deliver the goods and not misuse your information! Suing somebody in court isn't fun either and doesn't guaranty, that this entity can pay for the damage...
That in itself would be a good thing, however the whole thing is once again dictated by Verisign and Microsoft. There wasn't an open process as far as I'm concerned, and it's really about getting the CA business back on track!I don't really care about helping CA's sell more expensive certs, but I do want them to do more validation with an explicit standard we can hold themto.
Yes maybe...so no CA does ever guaranty support of their CA certificate in browsers to the subscriber...So perhaps any such CA will have problems selling more of the same, the ones which get burned the most are the subscribers under such a scenario! And I'm not talking about eBay....they can afford it...If we can offer a usable and effective UI differentiator for EV certs maybe we and the CA's can both get what we want (big if). Threatening to turn off "EV-ness" of a CA's root cert for non-compliance with the standard is a more credible threat than yanking the root from the browser and frustrating millions of users.
But how fast can a browser vendor remove support of EV of a certain CA? Instantly? If not, millions of relying parties might be at risk? But now thinking about eBay again: What happens to such a site, if they educate their users to look for the green address bar and then of a sudden it turns white or yellow...Can you imagine the possible damage due to lost purchases and the confusion? I don't believe that any browser vendor has the guts to remove EV support from one of the big five CA's from their browsers, not talking about removing their CA root! And because neither Mozilla nor any other browser vendor would do this - it remains a hollow phrase without meaning and teeth...
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
