Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser
I think the only really important purpose of OV and EV over DV is that they are visible on the first sight. Nobody opens the X.509 file to look at the EKU OIDs or the subject DN. The requirement could just say that x.509 must be supported, but they do differentiale DV, OV and EV. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser
On Oct 18, 2019, at 6:39 PM, Peter Bowen wrote: > > >> On Fri, Oct 18, 2019 at 6:31 PM Peter Gutmann via dev-security-policy >> wrote: > >> Paul Walsh via dev-security-policy >> writes: >> >> >I have no evidence to prove what I’m about to say, but I *suspect* that the >> >people at BSI specified “EV” over the use of other terms because of the >> >consumer-visible UI associated with EV (I might be wrong). >> >> Except that, just like your claims about Mozilla, they never did that, they >> just give a checklist of cert types, DV, OV, and EV. If there was a Mother- >> validated cert type, the list would no doubt have included MV as well. > > I think this is even easier. Kirk linked the article which links to the > actual requirements at > https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindeststandards/Mindeststandard_Sichere_Web-Browser_V2_0.pdf > > In section SW.2.1.01, it says "Zertifikate mit domainbasierter Validierung > (Domain-Validated-Zertrifikate, DV), mit organisationsbasierter Validierung > (Organizational-Validated-Zertifikate, OV) sowie Zertifikate mit erweiterter > Prüfung (Extended-Validation-Zertifikate) MÜSSEN unterstützt werden". > > Bing Microsoft Translator says the English translation is "Certificates with > domain-based validation (domain-validated certrifikate, DV), with > organization-based validation (Organizational-Validated Certificates, OV) as > well as certificates with Extended Validation Certificates MUST be supported" > > This appears to be the only reference to EV in the requirements. Given the > discussion has been around moving the UI treatment of EV to match OV (versus > having a distinct EV-only UI treatment, I don't think there is likely to be > any impact on the BSI conformance results. [PW] *Fact* - none of us know. So let’s find out. Assuming to know what a customer / stakeholder thinks is a rookie mistake. The BSI is a major “implementation” and for that reason, I hope Mozilla offer an opinion and to learn more. it’s a great opportunity to find out what their perception is. This forum is like an unhealthy religious cult where people aren’t open to being wrong about anything. Can we try to find common ground - such as our desire to help make the web safer. - Paul > > Thanks, > Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser
On Oct 18, 2019, at 6:31 PM, Peter Gutmann wrote: > > Paul Walsh via dev-security-policy > writes: > >> I have no evidence to prove what I’m about to say, but I *suspect* that the >> people at BSI specified “EV” over the use of other terms because of the >> consumer-visible UI associated with EV (I might be wrong). > > Except that, just like your claims about Mozilla, they never did that, they > just give a checklist of cert types, DV, OV, and EV. If there was a Mother- > validated cert type, the list would no doubt have included MV as well. > > In fact if you're going to go to sheep's-entrails levels of interpretation, > they place EV last on their list, and it's phrased more as an afterthought > than the first two ("must support DV, OV, and also EV"). > > You're really grasping at straws here... [PW] Rather than comment on me, perhaps you could indulge us with your interpretation. At least I’m open to being wrong. Are you? Since it does the same thing as DV in regards to encryption, why do you think they specified EV? - Paul > > Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser
On Fri, Oct 18, 2019 at 6:31 PM Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Paul Walsh via dev-security-policy > writes: > > >I have no evidence to prove what I’m about to say, but I *suspect* that > the > >people at BSI specified “EV” over the use of other terms because of the > >consumer-visible UI associated with EV (I might be wrong). > > Except that, just like your claims about Mozilla, they never did that, they > just give a checklist of cert types, DV, OV, and EV. If there was a > Mother- > validated cert type, the list would no doubt have included MV as well. > I think this is even easier. Kirk linked the article which links to the actual requirements at https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Mindeststandards/Mindeststandard_Sichere_Web-Browser_V2_0.pdf In section SW.2.1.01, it says "Zertifikate mit domainbasierter Validierung (Domain-Validated-Zertrifikate, DV), mit organisationsbasierter Validierung (Organizational-Validated-Zertifikate, OV) sowie Zertifikate mit erweiterter Prüfung (Extended-Validation-Zertifikate) MÜSSEN unterstützt werden". Bing Microsoft Translator says the English translation is "Certificates with domain-based validation (domain-validated certrifikate, DV), with organization-based validation (Organizational-Validated Certificates, OV) as well as certificates with Extended Validation Certificates MUST be supported" This appears to be the only reference to EV in the requirements. Given the discussion has been around moving the UI treatment of EV to match OV (versus having a distinct EV-only UI treatment, I don't think there is likely to be any impact on the BSI conformance results. Thanks, Peter ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: [FORGED] Re: Germany's cyber-security agency [BSI] recommends Firefox as most secure browser
Paul Walsh via dev-security-policy writes: >I have no evidence to prove what I’m about to say, but I *suspect* that the >people at BSI specified “EV” over the use of other terms because of the >consumer-visible UI associated with EV (I might be wrong). Except that, just like your claims about Mozilla, they never did that, they just give a checklist of cert types, DV, OV, and EV. If there was a Mother- validated cert type, the list would no doubt have included MV as well. In fact if you're going to go to sheep's-entrails levels of interpretation, they place EV last on their list, and it's phrased more as an afterthought than the first two ("must support DV, OV, and also EV"). You're really grasping at straws here... Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy