Ian G wrote:
Does anyone have a view on what "low" and "high" means in this context? Indeed, what does "assurance" mean?
I'll say it again, I feel it's possible to handle this based on the amount of checking a CA does, after all if someone wanted to do a serious attack on a system they will have no trouble going to any length to try and break it. On the other hand why only introduce 1 more classification into the mix, the following suggestions will give verisign et all a lot more wiggle room to play with if they wanted to start doing military grade background checks, this could include things like past shoddy business practises, bankrupcy listings, current financial status etc etc etc
no checking = class 0 testing cert, obviously limited value, I doubt it's even worth writing home about etc...
minimal checking, via email probing or similar = class 1 (low trust)
some checking requiring faxed in ID's = class 2 (medium trust)
forcing someone to front up to a police station or something like the postident system in germany showing their own ID + documents of incorporation etc etc etc = class 3 (high trust)
Governmental background checks etc = class 4 (military grade)
Ian, I agree with you 100% about low/high trust differentiations and CAs only doing as much as they have to, so why not make things more granular so that if companies want to advertise high trust, spell out exactly what high trust means to mozilla, and have a few more in there for good measure so that if they want to only just adhere to one or more groupings they can do so...
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
