On 30.12.2008 12:43, Ian G wrote:
[Audits reliabilty]
You already opened a thread about this (and I replied there). No point
to open another sub-thread about this.
Most all certificates carry no warranty
No. This particular sentence appears under heading "Positive SSL
Certificate", as I quoted, but does not appear in the section "Comodo
InstantSSL Certificate". The latter says "Their intended usage is for
websites conducting e-commerce", which is explicitly denied for Positive
SSL.
"not intended for ... e-commerce. ... the certificates carry no
warranty"
It's clear that these certificates were never defined to be used in
browsers, and therefore never should have been shipped with browsers.
There are a million web sites out there with certs.... Not all of
them are doing ecommerce.
Sure. But SSL was invented by Netscape for e-commerce via the browser.
And it's used like that by x00 million users, for buying stuff on
amazon, ebay and ten thousand other stores, and to do financial
transactions with their banks. They rely on us and SSL.
Browsers do not differentiate between issuing CAs (having to click on
the icon does not count). Even if they do, users have no idea what a CA
is, which one is trustworthy, what all that means or why the
differentiation, nor can they know that in practice. They only look for
the lock icon, and that is already too much to ask for most.
For all intends and purposes, all CAs and certs are treated equally in
browsers.
(Apart from EV, and even there, the difference is rather subtle for
normal users.)
All CA-signed certs need to be able to protect bank transactions and
purchases securely. It's by design.
we would need to establish monetary values for the certificates.
That's the only thing that consumers will likely be interested in.
Wrong, money is not everything, but I don't care to discuss that now.
The $-number is not important either - I think we all understand
"ecommerce" and everyday usage (and occasional usage) of webbrowsers.
And, as a claim to address the above point, there is no standard that
puts ecommerce at a higher number than zero.
Ian, you're playing word games, trying to cloud the issue. Can we stop
that and get back to the real, actual problems at hand? There's a CA
that's issuing certs without any verification, under "PositiveSSL", and
I pointed out the reason.
We aren't really purposing SSL to "just ecommerce" as far as I know...
I haven't said that. I do say that all certs need to be able to live up
to e-commerce standards, because browsers do not differentiate between
them, neither do or can users. Eddy demonstrated it all.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
