On Thu, Jan 1, 2009 at 7:57 AM, Ben Bucksch <ben.bucksch.n...@beonex.com> wrote: > > FWIW: > > On 31.12.2008 15:47, Eddy Nigg wrote: >> >> EV is clearly maximum > > No. EV is what I always expected all certs to be. It's really the minimum. > The whole security hangs of a phone call. It has lots of loopholes.
The EV guidelines prevent sole proprietorships and partnerships from obtaining EV certificates. These businesses are also handling transactions, and so they need more security than domain-validation. (Note, however, that we're discussing FINANCIAL TRANSACTIONS. There are other reasons than "protecting financial details" to use TLS.) As I've said repeatedly, VISA and MasterCard and other credit card processors in the US have reduced the liability to $0 for unauthorized transactions on their cards, in order to increase consumer confidence that they won't have to worry about being hit for $50 each time a fraudulent transaction comes through. (This is also the case with debit cards bearing the VISA or MasterCard logos.) > For me, anything less is rather pointless. DV: verify via http or plaintext > mail - hah. What was the reason for https again? For me, I like to know the legal identities of businesses I do business with. (Business licenses are required to be displayed at the location of business, I've always tried to look at financial-grade certificates as being somewhat akin.) However, take the following case: A subversion repository is dealing with someone who's (for whatever reason) still using SLIP. SLIP doesn't verify packet checksums, so a line-noise corrupted packet gets through. Normal HTTP won't detect or handle this, but HTTPS will (even if its failure mode is rather draconian). Also, it's easier to configure a single access method for a given service than multiple access methods. > The maximum is that the CEO has to sign in front of an CA agent, which > checks face and signature against the passport / ID card. The CA also checks > state registers for the official representative of the company. And all the > stuff EV does. Oh, and the CA is of course liable infinitely for all and any > kind of damages, direct and indirect, that result from a wrong certification > - otherwise they can just do crap and say "sorry" when things go wrong. Technically, only the corporation's secretary has the ability to sign on behalf of the corporation unless and until it is delegated. In many states, this involves an embossed seal on the document. But, again, you're focused on the FINANCIAL interaction case. All I want is something that slides into view letting me know that a certificate, while valid, has not had enough of a third-party attestation of validity to be appropriate for financial transactions. There's more than enough non-financial interaction cases for TLS and the web that the current inertia biased in favor of fiduciary/financial information provision (and the completely-unnecessary fees that this engenders for people who have zero reason to need it, which would essentially turn every website into a commercial enterprise if the site owner wanted/needed to recover costs) needs to stop. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto