Gervase Markham wrote:
On what basis would you mark a level 2 certificate as safe? How can a
user make such a decision safely?
Gerv, I think you are concentrating too much on what Level 2 means,
instead of trying to see the whole picture first and which problem the
proposal tries to solve. But here a few thoughts about "Level 2", since
you are insisting on it. First a few facts:
- This type of certification is the most common after domain validated.
Anything higher than domain validated should be encouraged if
1.) It is used *beyond* low-risk private and public sites, such as
web mail, forums and blogs.
2.) It is understood the correct way and doesn't claim to be more
than it is.
- EV will not be the replacement of "anything higher than domain
validated". According to estimates from various sources (including
Verisign), EV will be used for between 1000 and 4000 sites, or about
*one percent or less *of all issued certificates today. This I call "too
much trouble", which leaves SSL in browsers still utterly broken. We are
talking here about the other 99%!!
Now, it really depends what you can do with this second Level. And it is
a decision which depends on the user mostly. However the user must
receive the correct indications and/or information to make a decision,
which he today most likely can't.
Supposed one receives this information about Level 2, than:
If you give your credit card to a taxi driver to pay your fare, than I
suggest that Level 2 is sufficient. If you give your credit card to some
Restaurant on a business trip, than it's sufficient. Purchases through
the Internet have their own rules and are treated differently than a
purchase made in person and with a signed statement. This is a very
important fact!
But I would not make a transfer of 10,000 US$ by Western Union to
somebody, *only* on the basis of Level 2 client certificate presented to
me. I would make additional research prior to that. I would not give
away unnecessary private information based on Level 2. However I
wouldn't do that with any higher level either.
Certification is about Identity validation and one shouldn't forget
that. No level, including EV, does promise you safeguard of your private
information or prevent misuse of your credit card details. And in that
respect I need to receive proper information about verifications
performed. I also need to understand, that SSL is *only* about identity
validation. The proposal tries to provide a structure and framework of
levels in order to have better definition about these verifications -
first and foremost at the browser policy level! The rest about this
comes in the next mail....
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
