On 12/31/2008 01:11 AM, Frank Hecker:
Yes, but that doesn't necessarily have general implications for the way we treat these cases. For example, it's possible that someone somewhere has a site with a DV certificate, and that by "breaking" this cert someone could gain access to assets worth (say) USD 100 billion. Does that mean that we have to treat DV certs in general as if we're dealing with potential $100B losses? I think not. We have to make some reasonable assumptions about what particular types of certificates are likely to be used for.
Are you sure? Think again....or perhaps Mozilla should start to use EV certs for the update mechanism of Firefox and *enforce* it? There might be many other sites which potentially could wreak havoc not measurable in terms of money only.
The reason why we didn't do that then, and the reason we don't do it today, is there is no set of standard practices to put a common meaning behind "OV/IV". One CA might require in-person appearance, another might allow the applicant to simply fax in a copy of their national identity card, and so on. So if we wanted to give enhanced UI treatment to OV certs we'd be faced with the problem of determining whether a given CA's certs were "really" OV/IV or not. The virtue of EV certs (and the reason we supported their creation) is that the EV guidelines combined with the WebTrust EV criteria gave us a set of (reasonably) standard practices and a corresponding (reasonably) common meaning on what EV meant.
Nothing would have prevented it to become a standard, right? It still doesn't today? You could have taken it to the CAB forum. :-) In my opinion EV by design is providing only half the solution, incomplete at best. There is missing the other half still today unfortunately. These days it would have become a meaning perhaps. I still believe that users need to be able to differ between low-assurance (password protection of low profile sites), medium assurance and EV. EV is meant for high-profile brands and targets.
But...that's for a different discussion actually... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
