On 30.12.2008 20:51, Frank Hecker wrote:
Ben Bucksch wrote:
"not intended for ... e-commerce. ... the certificates carry no
warranty"
Ben, this is a pretty common disclaimer that CAs (including CAs other
than Comodo, I believe) make for DV certs (i.e., certs for which only
the domain control is validated).
Note that Comodo's "InstantSSL", while not DV, is not their high-value
cert either. It seems to be mostly automatic validation. But it does
carry the "intended for e-commerce" and not that "no warranty"
black-mark as PositiveSSl does.
With these low and alarming definitions (and consequent lack of
processes and audit, presumably), they should never have been allowed
for browser roots. The assessment of the CA itself, and mine in my post,
still stand.
Browsers do not differentiate. Users can not differentiate. All certs
*are* used for e-commerce.
all e-commerce sites should consider upgrading to EV certs. The market
for DV certs is people like me
FWIW, Amazon does not use EV, neither Societe Generale nor another bank
I checked.
Also, I don't think we can train 100% of users to check for green in the
next 3 years. 1% of users not differentiating/knowing this is enough for
phishers.
I don't think EV is the solution in this case, unless we completely
degrade all normal certs to non-secure state. What I propose is to do
that with certs which provide no assurances, not even on paper.
We support DV certs in browsers for that market.
Problem is: It's not even a DV cert. And I don't believe them that they
rectified the situation. Only when they have a number of RA
significantly smaller than 10 and all audited. It's useless to mandate
an audit for the CA, if the critical functions are not done by the CA.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
