On 12/31/2008 04:36 PM, Gervase Markham:
Kyle Hamilton wrote:
Hmmm... actually, it would be possible, but only with the cooperation
of the CAs.
We currently know the EV policy OIDs for EV-enabled roots. What we
don't know is the policy OIDs assigned for different types of
validation,
...nor do we have, more to the point, a concrete definition of what
should qualify as 'OV'. Each CA does things differently. That's why EV
was created - to provide a minimum, defined, auditable standard of
checking for purchaser identity.
Saying "browsers need to differentiate DV from OV" is basically saying
"we need to do the entire EV process again, but setting a lower bar".
Yes, basically we need a class or type in between DV and EV, preferable
defining DV clearly as well. EV is clearly maximum, whereas DV is
clearly minimum. There is a middle ground ignored which is bad. There
are organizations which can't be validated according to EV, they would
certainly benefit from it. Besides that, I believe there is also a need
for IV. From my experience there are many subscribers which don't need,
want or can do EV, but nevertheless want something more than DV. The
same is for the relying parties.
We don't need to redefine EV, but add another class (even if you are
very proud of EV). :-)
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
