On 12/30/2008 09:51 PM, Frank Hecker:
No e-commerce site should be using DV certs, and IMO all e-commerce sites should consider upgrading to EV certs. The market for DV certs is people like me, who want to provide basic security measures for a web site (or email server) but are not dealing with data of any monetary value and are not otherwise subject to laws or regulations that would cause us significant liability in the event of a breach.
Frank, I think the problem Ben pointed out is, that it doesn't matter for what exactly the certificate /should/ be used nor even for exactly it /is/ used by the subscriber (note, Mozilla uses mainly regular SSL for its sites). The fact that for domain validated (and higher validated) certificates the browser doesn't know the difference. The value of DV certificates is equal the *highest* target protected by a Non-EV certificate, period. This is the highest risk potentially.
Now, if you maybe recall, during the EV discussion some two years ago I presented an alternative model to EV. It had three different classes, one of which was EV, one of it was DV and the middle ground was IV/OV. Maybe today some of you here might see the value of what I proposed back then, by making a distinction between DV, IV/OV and EV. I still believe that this is way better from what we have now, the threat model hasn't changed, neither the risks.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
