On 01/04/2009 12:05 AM, Gervase Markham:
You want us to make a IV certificate which can be issued to businesses
without "verifiable physical existence and business presence"?
Yes, that is, many times small businesses and "trading as" are run from
home or small offices. Some aren't exactly businesses, but one would
nevertheless want to know with whom you are dealing. Additionally, there
are of course different ways to perform reasonable checks for a
presence, where "reasonable" depends.
You mean that want a price point in between DV and EV? :-)
Yeah also. And why not? For many EV is an overkill,
But it's not for their benefit they are getting that level of vetting,
it's for the benefit of their customers.
Certainly. But as shown above, those customers might not need them nor
would the subscriber be able to qualify for EV in first place. Do we
want to exclude this group from getting verified even though it would be
better than nothing at all?
Let's put it another way: how do we explain the difference between EV
and this new level to consumers? "You can do transactions up to $X if
there's an EV cert, but only $X / 10 if it's a NewV cert?" Who's going
to pay attention to that?
I think that's the better question here. This is certainly something we
would have to think about - and I suggest that there are those which
have better qualifications for that than we do. But basically, if people
can be educated to a certain degree about EV, I believe that it's
possible to educate that there are other options, like DV...or IV/OV.
Proper identity validation takes time, and so costs money. The only way
to make it cheaper is to do less validation. And the less validation you
do, the easier it is to get dodgy certs issued.
Mmmhhh yes, maybe. Obviously your statement is correct theoretically,
but for this type of validation, the validation should be reasonable.
This of course needs to be signaled somehow, like: This person or
"trading as" was validated by different means....as opposed to this
organization has been thoroughly validated according to EV. (Don't pick
on the wording now)
If it's possible to
reduce the amount of validation without running that risk, let's change
the EV standard.
No, I don't think this is what I really meant. I think EV as such is
fine, that's not the purpose for my proposal. It certainly would devalue
EV itself.
If you think the current CAs are overcharging, get
certified for EV yourself and charge less.
We are getting there...this exactly was also one of your advices which
influenced that...but it ain't really cheap either :S
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
