Florian Weimer wrote:
No e-commerce site should be using DV certs, and IMO all e-commerce
sites should consider upgrading to EV certs. The market for DV certs
is people like me, who want to provide basic security measures for a
web site (or email server) but are not dealing with data of any
monetary value and are not otherwise subject to laws or regulations
that would cause us significant liability in the event of a breach.
What is a "breach" in this context?
For example, suppose I were running a personal site for me and my
friends, with perhaps a shared mail server enabled for SSL over IMAP and
SMTP, a group blog enabled for SSL over HTTP for authentication of the
blog authors, etc. We'd be using the site only for personal use, and the
only relying parties would be me and my friends. A breach in this
context might be something like the Debian weak key problem or this MD5
thing, where someone else might be able to do a MITM attack, capture our
IMAP and SMTP passwords and access our mail accounts, capture our blog
passwords and be able to post as us, etc.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
