Hi Gerv,
Gervase Markham wrote:
Just to be clear: this is, at heart, a UI proposal, isn't it? You want
the UI to differentiate between these four levels, rather than just
the one level (as now) or two levels (as IE 7 does with EV)?
Before you can do anything with the UI, there needs to be an underlying
framework and policy defining it. In this proposal it's actually more
than that, it's a re-definition (or definition which exists mostly in
practice at CAs, but not at the software) of how SSL certificates should
be treated from now on. Once this is part of the Mozilla CA policy (and
hopefully other vendors might follow the lead) an eventual UI proposal
could be worked out. The UI can take many colors and shapes, but without
the underlying framework no UI can do much...Please note, this is not
about code, but about policy shaping...
The Mozilla Corporation has just hired Jonathan Nightingale from IBM
to work specifically on security UI for Firefox 3. I'm sure he will
take your proposal on board.
Perhaps, but we need to work out the definition for it first. I'm sure
Jonathan will agree with me....in short, we have some work to do prior
to that ;-)
I'm sorry, but I can't work it out - what does the abbreviation
"resp." stand for?
It stands for "respective".
You explain the levels well in terms of the validation performed.
However, as this is at heart a UI proposal, how do you suggest (in
terms of concepts, rather than in terms of pixels) these levels should
be presented to the user?
No idea yet...and as it was suggested previously, that there are some
smart people on board for this, however once we get to it, I'll make my
recommendations...trust me on that one ;-)
For example, my mother is considering using her credit card at a shop,
and the UI indicates (in some way) that it is level 2 secured. Should
she shop there?
I've visited a site that I think is my bank, and it has a level 4
certificate. Should I be concerned, given that level 4 is normally for
individuals? How concerned?
As I indicated in the proposal, this is something we will have to work
on and define exactly what we want. In my opinion Class 4 should be for
individuals and client certificates only. However you might want to work
out a similar definition for server certificates as well?
Why four levels, rather than six? Or two? Or ten?
Good question! The current proposal has been more or less common
practice at many CAs (including Verisign and StartCom) and I view it as
an almost de facto standard. By choosing a definition which is common
and easy to adjust if needed by the CA, we can guaranty a speedy
adoption at CAs. However a CA can at any time match its issuing
processes with that of the proposed Mozilla CA policy extension and
assign the relevant level to its certificates.
Except that, I think that two levels is not enough, specially as the
second level is expected to be for a small minority of subscribers, as
in the case of EV, this is currently for registered organizations,
server certificates only.
The identity is validated by various means, such as verification of
the identity via scanned, photocopied or photographed photo ID
documents (passport, identity card, driving license) and company
registry, which is then further verified by a lookup at a third
party source, such as phone directories and phone call or sending of
a registered mail to the address found in the documents provided by
the subscriber. This kind of verification is not done in person.
Ownership of the domain name, resp. email account is performed
according to Level 1. The certificate must state the subscriber
name/organization name, locality, state (where applicable) and country.
So for individuals, the certificate contains address information which
is unverified?
Who said that it's unverified? Perhaps read it again? Or I might have
been not clear enough here?
How does your proposal ensure that the CAs stick to what they have
promised - i.e. that the OID they put in the certificates corresponds
to the level of validation done? Do we just have to trust them?
Actually yes. In my proposal this is exactly the case, the same as today
Mozilla trusts the CAs, that they adhere to the Mozilla Ca policy, which
defines in that respect also a minimum level of verifications for
example (confirmed by a third part audit). You might argue that this is
not enough and come up with a alternative proposal concerning that.
However we were thinking about it too and came to the conclusion that
this might be the right thing to do.
Cheers!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security