Gervase Markham wrote:
Eddy Nigg (StartCom Ltd.) wrote:
Gerv, I think you are concentrating too much on what Level 2 means,
instead of trying to see the whole picture first and which problem
the proposal tries to solve. But here a few thoughts about "Level 2",
since you are insisting on it. First a few facts:
- This type of certification is the most common after domain validated.
It's also entirely unregulated. A CA can claim that they do identity
validation, but there's no way of knowing exactly what they do and how
effective it is.
And this is the ONLY thing that EV certs is trying to solve, but this
can be solved with EV certs by fixing the browser rules for CA
inclusion, and by giving the users more information about the cert in a
much friendlier fashion than is available today.
- EV will not be the replacement of "anything higher than domain
validated". According to estimates from various sources (including
Verisign), EV will be used for between 1000 and 4000 sites, or about
*one percent or less *of all issued certificates today.
Do you have a source for these estimates? I think it's rather unlikely
that the CAs collectively would have had seven or eight on-site
meetings over three years, and devoted so much time to the effort if
the total potential income from EV, shared between all of them, was
between $500K and $4M.
(No, this is not an excuse to rant about the cost of EV. I mention
this only as one reason why I think your estimates are unlikely, not
because "EV is all about the money" or anything like that.)
Now, it really depends what you can do with this second Level. And it
is a decision which depends on the user mostly. However the user must
receive the correct indications and/or information to make a
decision, which he today most likely can't.
I don't understand how what you are suggesting would work out in
practice. It seems to me that you end up somewhere between these two
extremes:
1) Tell the user "The CA has taken the following eight steps to verify
the identity of the owner of this website. Using your skill and
judgement, decide how effective you think those steps would be at
identity validation, and then decide whether to use your credit card
here."
2) Tell the user "Yes, you can use your credit card here".
Of course, there are many stages in between. But, as you are saying
"the user must receive the correct indications and/or information to
make a decision", it seems you are closer to 1) than 2). Would that be
fair?
The problem with anything anywhere near 1 is that the user is
absolutely unqualified to make such a judgment. It's the equivalent to
the following scenario.
Say you want to go somewhere on a bus. There are two competing
companies serving the route. You are told "Bus safety is entirely
unregulated. Bus company A has the following maintenance and safety
procedures. Bus company B has this other set of different procedures.
Which would you like to travel with?"
Sounds like the same issue you have trusting PGP signatures, but the
CAs evaluation of a companies identity DOES NOT MEAN that the have trust
worthy people working for them, or that the security on their data is
any good, or that the executives aren't selling data to spammers.
EV certs provide a FALSE sense of security, this is MUCH worse than
telling the users "we have done the best possible job at following our
policies to validate this entities persona, YOU have to deside if you
trust them or not".
Certification is about Identity validation and one shouldn't forget
that. No level, including EV, does promise you safeguard of your
private information or prevent misuse of your credit card details.
Only insofar that if you know a lot about a person, they are more
likely to deal with you honestly.
Yeah and Alienware was easy to deal with and will give me my money back
now that they are owned by Dell. Not! It doesn't matter how big a
company is or how well you know them. AOL execs still sold peoples info
to spammers, Alienware still sells shoddy computers, Microsoft can't
figure out where they sent the MAPS subscription to.
The bottom line is Identity validation, especially for companies, will
NEVER guarentee trustworthiness.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
