Ian G wrote:
From memory, EV is a "supplement" to WebTrust for CAs, leaving WebTrust for CAs in place as a valid and useful audit, at least in the opinion of the CABForum.
That is correct. The CAB Forum's EV guidelines document requires both an audit according to the WebTrust for CAs criteria and the WebTrust EV criteria, with the WebTrust EV criteria considered as a supplement to the WebTrust for CAs criteria, not as a replacement.
I do not see that conclusion? There are a million web sites out there with certs (by one survey, and another reported many more). Not all of them are doing ecommerce. Probably in excess of 90% are basic work websites where users access private data, and want SSL protection for that (yes, finger in air guess, no more).
I can add a little more rigor to this. As you note, there are ~1M valid SSL certificates in use on the Internet. ~10K of these, or ~1%, are EV certificates. According to Netcraft (from whom I got these figures) on the order of half of the ~1M total certs are DV certs. (It's not 100% clear to me how they distinguish DV certs from OV certs, so I'd take this last figure with a grain of salt.)
My claim -- check if this is true -- is that most nearly all certificates have an *effective* liability and warranty of zero. And, as a claim to address the above point, there is no standard that puts ecommerce at a higher number than zero. (And, Mozilla does not currently have an "ecommerce certificate" policy or difference.......)
In practice we have a de facto differentiation between EV certs and all other certs, as embodied in the Firefox UI. I guess we could modify the policy in future to make an explicit correspondence "EV = e-commerce", but that might run afoul of the whole "qualified certificate" issue in the EU. (However in practice we don't accord qualified certificates any special treatment, so it may be a moot point.)
Frank -- Frank Hecker hec...@mozillafoundation.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
