Eddy Nigg wrote:
Frank, I think the problem Ben pointed out is, that it doesn't matter for what exactly the certificate /should/ be used nor even for exactly it /is/ used by the subscriber (note, Mozilla uses mainly regular SSL for its sites). The fact that for domain validated (and higher validated) certificates the browser doesn't know the difference. The value of DV certificates is equal the *highest* target protected by a Non-EV certificate, period. This is the highest risk potentially.
Yes, but that doesn't necessarily have general implications for the way we treat these cases. For example, it's possible that someone somewhere has a site with a DV certificate, and that by "breaking" this cert someone could gain access to assets worth (say) USD 100 billion. Does that mean that we have to treat DV certs in general as if we're dealing with potential $100B losses? I think not. We have to make some reasonable assumptions about what particular types of certificates are likely to be used for.
Now, if you maybe recall, during the EV discussion some two years ago I presented an alternative model to EV. It had three different classes, one of which was EV, one of it was DV and the middle ground was IV/OV. Maybe today some of you here might see the value of what I proposed back then, by making a distinction between DV, IV/OV and EV.
The reason why we didn't do that then, and the reason we don't do it today, is there is no set of standard practices to put a common meaning behind "OV/IV". One CA might require in-person appearance, another might allow the applicant to simply fax in a copy of their national identity card, and so on. So if we wanted to give enhanced UI treatment to OV certs we'd be faced with the problem of determining whether a given CA's certs were "really" OV/IV or not.
The virtue of EV certs (and the reason we supported their creation) is that the EV guidelines combined with the WebTrust EV criteria gave us a set of (reasonably) standard practices and a corresponding (reasonably) common meaning on what EV meant.
Frank -- Frank Hecker hec...@mozillafoundation.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
