On 01/02/2009 04:38 AM, Kyle Hamilton:
From what I can see, the general overall idea that Eddy is suggesting
seems to be:
Type 1: the person requesting the certificate has shown that they have
some means of accessing things either in their mailbox or in the
URI-space of the domain. (DV)
Type 2: (currently nonexistent) non-EV-eligible entities, businesses
which don't present a large enough attack surface to create a large
economic impact were their site MITM-attacked, has provided and shown
legal paperwork which backs up their assertions such that the CA is
willing to certify their identity in the Subject field (essentially
the initial requirements of Verisign/Thawte et al)
Type 3: extended verification of identity and legal existence, all
documents checked against their original sources, etc (EV)
(These are NOT to be confused with "Class N" as currently used by
Verisign et al.)
Is this correct? Or am I misunderstanding?
This is more or less correct. It's the middle ground which isn't covered
very well. It's what anything above webmail, forums and blogs, but less
than what is called "high profile brand". A small part time shop selling
some widgets are a good fit for this Class. Those are many times
individuals or small businesses.
(BTW, the small businesses make up still an important part of the
economy usually)
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
