Eddy Nigg (StartCom Ltd.) wrote:
Gervase Markham wrote:
Eddy Nigg (StartCom Ltd.) wrote:
That's right! But the audit confirms exactly that (in your example,
no verification). The CA will have to mark its certificates compared
to its policy which was audited accordingly.
Why will they "have to"?
>
Because they would like to have their certificates detected accordingly.
If there is no OID, then the browser doesn't no what to do and probably
mark it as the lowest level by default (Just a suggestion - it could
also state, that it doesn't know the assigned level, be careful!).
You misunderstand my concern - I apologise for not explaining better.
Let me try again.
Why will they "have to" mark their certificates as corresponding to the
level which matches its policy, rather than marking them at a higher
level? What happens if the CA and the browser vendor disagree about what
level a particular type of certificate should be?
Who is the policeman?
>
Gerv, please answer me this questions here, I'll wait for your answer:
Ar you a policeman today?
As much as I can avoid it, no.
Will you be a policeman with EV?
No, because the CA validation practices will get audited against the
public documents on the cabforum.org website. So Ernst and Young, KPMG
and friends are the policemen.
And, inevitably, there is a certain amount of judgment involved in
deciding whether a particular set of practices meet a particular
Mozilla "level".
I simply don't think, that this will be an issue at all. The levels will
be defined clear and understandable. A CA will be able to judge, if he
does A, B, C for level X, if not he goes down one level and checks if he
does A and B etc....CAs are not idiots....they can handle that...
If the motives of the CA are solely to be completely honest about it,
yes. But given that they can make more money if they can pass less
validated certs off as more validated certs, there's a big incentive to
say "well, this set of practices corresponds to level 3" when in fact we
might think it corresponds to level 2.
Who arbitrates when there's a dispute?
>
Who arbitrates when there's a dispute today?
No-one. And it's a potential problem.
His suggestion is that CAs self-classify their existing offerings into
one of 4 categories.
Therefore the reason I object is that it seems to me that, in the face
of the new consumer-level identity spoofing threats which were not
present for the first ten years of the life of SSL, _none_ of the
current practices are sufficient.
Huuu? "new consumer-level identity spoofing threats"??? LOL
Phishing.
Gerv thinks, that EV is a new invention....Please read a few CA policies
and practices and you'll find EV all over...Class 3 validation and
higher exists and current practices exist! All it needs is, that
browsers know to differentiate between the various verification
procedures...this is what is insufficient!
I don't think that any existing practices are as strong as EV. (I'd be
interested if you could prove me wrong by pointing me to a public
document detailing validation practices, in use by a CA today, which is
as strong or stronger).
Both of these are the names of banks. The organisation which obtained
these potentially confusing certificates (to prove a point) didn't
even have to lie to get them. I'm sure those willing to stretch the
truth a bit more could achieve "better" results.
>
The certificates in questions are most likely domain validated.
Nope. Organisationally validated. Check the certificate contents, and
match them up with the relevant CA's products.
Domain validated certificates have the domain name in the O field, not a
name like this.
absent the desire of the Mozilla Foundation to play "CA Cop" and spend
ages evaluating the different procedures of all the CAs, all we can do
is lump all existing "organisationally-validated" certificates into
the same "identity not sufficiently verified" category.
>
Bullshit...you are repeating this, even so you have received answers on
this...To "lump all existing" into one category is what browsers have
wrongfully done since they exist!!! We are going to change this! That's
exactly the wrong...
I agree it is not good to lump everything into one category, but I say
that it's unavoidable without documented and third-party-audited
standards so we can meaningfully discriminate. Having the Mozilla
project find resources to do our own audit is just out of the question.
This is where we disagree. You think it's entirely reasonable for the
CAs to self-classify. I don't trust them that far. All of the incentives
lead them to want to stretch the truth.
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security