Eddy Nigg (StartCom Ltd.) wrote:
Well no! CA's did in the past and today offer thorough identity
verification (personal and organizations alike), but it's the
_subscriber_ who is making the decision here. This is also true for EV
certification and nothing will change in that respect! A rare minority
would buy EV, without the green incentive...So it's not the CA not
offering thorough validations, but the subscriber not willing to pay
for it!
True. Good comment.
More than that, current anti-pishing functions now found in most
browsers and mail clients are much better in preventing pishing
attacks! I think, that on this forum most agree with the fact, that EV
is not going to be effective nor the front line of defense against
pishing....
I disagree. I think that anti-phishing blacklists are a band-aid.
I think the most effective anti-phishing measures are:
* Bookmarks
* Clearly showing domain (and *only* domain) and maybe real world
owner (from cert)
Additional thoughts are, that nobody should blindly follow through on
a purchase or sharing of sensitive data without coming to a conscious
decision - even if EV validated or similar.
I think that's too much a lifestyle and political question :).
yanking the root
the ones which get burned the most are the subscribers under such a
scenario
True. That's why I don't think that's a good scenario, as-is. We should
hurt the CA, not its customers (the sites).
Maybe an NSS feature to treat all certs from a certain CA issued *after*
a certain time as invalid would be nice *evil grin*, esp. with us
notifying existing cert holders that they need to renew with another CA.
That'll give the CA the shivers *lol*.
--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security