On 3/23/2012 11:37 AM, Kevin Chadwick wrote:
What are the plans to fix SSL. Would it be good to have a collaborated,
IE, Firefox, Chrome single free CA (like startssl) where the rogue CA
issue is prevented and security could be handled properly by eventually
removing all other CAs from browsers.
A domain control check could be automated via email or like how google
adwords does with a html file. They would probably even let their
adwords system be used if they think it's more practical than their web
of trust lookup site experiment. EVs are a waste of money except for
keeping misinformed customers anyway. Site rating seals are far better.
How can a free CA afford to validate its customers?
The CA Browser Forum is tightening up standards.
The rules on certs change July 12, 2012, and will be much tighter
thereafter. There will be three levels of certs - "domain control
only", "organization validated", and "extended validation".
"Domain control only" is for blogs. Anything that takes a credit
card should have at least "organization validated". Financial
institutions should have EV.
We make that distinction now, in SiteTruth's browser add-ons.
We look up the business specified in the cert, and check out
its identity, location and financials. We're looking forward
to tightening up the rules after July 12.
John Nagle
SiteTruth
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
