On Mon, Aug 25, 2008 at 10:24 AM, Eddy Nigg <[EMAIL PROTECTED]> wrote: > > I'm living in the same world as you do my friend! And yes, I suggest > that EV sites shouldn't outsource anything not under their control. > That's because the site operator (of an EV site) doesn't have control > over outsourced service. How can such an EV site operator guaranty the > integrity of the valuable data? He can't and therefore EV shouldn't be > mixed with anything.
As far as the legal system is concerned, a contractual obligation is perfectly adequate for everything up to and including fiduciary interaction. In fact, many US government contractors (those who handle USPS comment and survey cards, for example) are required to make it a point in their employment terms that sensitive/private data must never be used for anything other than US Government business. (I realize that Mozilla has a global reach, and that I am likely overgeneralizing based on my understanding of US law, but legal recourse exists in pretty much every jurisdiction that I have ever heard of.) In the event of a contract (either electronic or physical), the EV site operator has legal assurance and agreement to adhere the minimum standards required, and has legal recourse if those requirements are violated. The end user has legal assurance (in the form of the EV site operator's privacy policy) and legal recourse if anyone that the EV site operator allows to touch the data violates those terms. This is in addition to the standard fiduciary requirements, which carry criminal penalties if they're breached. There is a concept of "good enough". It would be "good enough" to be able to state that the EV site operator takes responsibility for all breaches of its privacy policy caused by anything that the EV site operator includes and references with its knowledge on its pages. > BTW, there are fantastic programs for web statistics and analysis. Alright, how about content distribution through something like edgesuite? The particulars of why an EV site operator would want to outsource some aspect or service are rather irrelevant -- valid scenarios for needing the ability to outsource do exist, and I don't see any reason why their hands should be shackled. Additional issues involved are "the cost of an EV certificate for every host". The last time I dealt with Verisign (which was, granted, about 7 years ago now), my company purchased a pack of 10 certificates, and we used 3 of them. Looking at Verisign's current pricing suggests that this model (price per-certificate-per-capability-per-server) hasn't changed. Extended Validation certificate prices, from Verisign: $2695 for 2 years, "128-bit to 256-bit", 1 server license -- for the EV Pro (which includes Server Gated Cryptography, which I thought was made irrelevant in 2000). $1790 for 2 years, "40-bit to 256-bit", 1 server license, for EV. That's a $905 difference for an extra $150,000 in insurance and a minimum bit requirement which could just as easily be set in the server configuration -- and there are no discounts offered for anything fewer than 4 hosts. (This compared to $1790 for 2 years for non-EV SGC, $695 for 2 years for non-EV non-SGC.) Your proposal would require every individual hostname referenced by an EV-validated site to have the extra "EV tax" paid for it. I realize that other CAs may price themselves differently, such as by charging a de minimus fee to issue any number of certificates after a (VERY costly) EV validation of corporate existence... but I can't see why the Mozilla Foundation should under any circumstances help CAs artificially inflate their profit margins by forcing people who want to use EV to either reduce the services they have available to create their site or bite the bullet and pay the extra tax just to get the green site name. On top of this, it's still not clear to me how the rules for identification and presentation of "mixed" versus "pure" content should work. Completely ignoring the concept of DNS attacks(*) (since an EV certificate is supposed to be proof that a given site is under the control of someone specific, regardless of what DNS reports) by simply removing the DNS from the trust validation equation, there's 12 scenarios that haven't really been properly mapped: Scenario 1: EV origin, Same issuer, same Subject, EV Scenario 2: EV origin, Same issuer, different Subject, EV Scenario 3: EV origin, Different issuer, same Subject, EV Scenario 4: EV origin, Different issuer, different Subject, EV Scenario 5: non-EV origin, Same issuer, same Subject, EV Scenario 6: non-EV origin, Same issuer, different Subject, EV Scenario 7: non-EV origin, Different issuer, same Subject, EV Scenario 8: non-EV origin, Different issuer, different Subject, EV Scenario 9: EV origin, Same issuer, same Subject, non-EV Scenario A: EV origin, Same issuer, different Subject, non-EV Scenario B: EV origin, Different issuer, same Subject, non-EV Scenario C: EV origin, Different issuer, different Subject, non-EV as well as the 4 that we already have mapped: Scenario D: non-EV origin, Same issuer, same Subject, non-EV Scenario E: non-EV origin, Same issuer, different Subject, non-EV Scenario F: non-EV origin, Different issuer, same Subject, non-EV Scenario 10: non-EV origin, Different issuer, different Subject, non-EV Scenarios D, E, F, and 10 have all been mapped to "pass as non-mixed content". How should the chrome be presented, in each of these scenarios? Why? (*): I'm not proposing removing the sanity check against the DNS that currently exists to make sure that the machine is really answering what the browser thinks it's supposed to be, I'm simply lumping DV and standard-validation certificates into the "non-EV" category for purposes of figuring out what should be identified as "mixed content" in conjunction with EV. -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
