Ian G wrote, On 2008-09-24 05:12: > Nelson B Bolyard wrote: >> Ian G wrote: >>> Nelson B Bolyard wrote: >>> The curiosity here is that the Certificate Policies extension may >>> not be shown prominently by software. As the point of the cert is >>> to make some claim to the user, and the essence of that claim is >>> somehow pertinent to the user's choice, it is understandable that >>> issuers have been frustrated in the past by lack of display of the >>> nature of the claim.... >> For PKI to work with ordinary mom-N-pop users, there must be a small >> set of claims common to all CAs honored by a browser. > > Um. Can you point to that small set of claims?
I think that, presently, there are essentially 3 different sets of claims commonly used for SSL servers, and another small number of sets of claims commonly used for S/MIME certs. The 3 sets of claims used for SSL servers have names "DV", "OV" and "EV". Of those, EV is well defined and documented. DV is pretty well understood but I don't know of any document that defines it very well. OV is the least well defined, which is why browsers do not give any special treatment to OV certs. In some sense, for Mozilla browser users, the definition of DV is (I think) the minimum set of things a CA must do to have its root CA cert accepted by mozilla foundation. Maybe Frank can write up a statement of what it takes to qualify a DV CA. Mozilla's CA policy implies that such a definition exists, but doesn't seem to give it. I think that, in practice, there are effectively two sets of claims widely used in email certs, and a third one is now being planned. The first two do not have vendor-independent names, so I will use one vendor's names for them: class 1 and class 2. Class 1 is for email what DV is for SSL. It proves a connection between the email address in the cert and the mailbox associated with that address, but nothing about the identity of the person behind the mailbox. class 2 proves something about the identity of the person behind the mailbox, but it may be little more than a person's name or employee number. I have read something that makes me believe that the CABForum is working on an EV-like definition for certs that could be used for individuals and/or email. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
