>From what I can see, the general overall idea that Eddy is suggesting seems to be:
Type 1: the person requesting the certificate has shown that they have some means of accessing things either in their mailbox or in the URI-space of the domain. (DV) Type 2: (currently nonexistent) non-EV-eligible entities, businesses which don't present a large enough attack surface to create a large economic impact were their site MITM-attacked, has provided and shown legal paperwork which backs up their assertions such that the CA is willing to certify their identity in the Subject field (essentially the initial requirements of Verisign/Thawte et al) Type 3: extended verification of identity and legal existence, all documents checked against their original sources, etc (EV) (These are NOT to be confused with "Class N" as currently used by Verisign et al.) Is this correct? Or am I misunderstanding? -Kyle H On Thu, Jan 1, 2009 at 3:15 PM, Eddy Nigg <eddy_n...@startcom.org> wrote: > On 01/01/2009 11:36 PM, Gervase Markham: >> >> Eddy Nigg wrote: >>> >>> Yes, basically we need a class or type in between DV and EV, preferable >>> defining DV clearly as well. EV is clearly maximum, whereas DV is >>> clearly minimum. >> >> EV is definitely not maximum. There's a load more stuff that could be >> done (some of which I wanted, like site visits) which we didn't get. > > Yes of course. EV is _currently_ the maximum validation CAs will do for the > bucks as it seems. I'm not aware of offerings proposing anything else by > judging those of the most popular CAs. But maybe your are right and there > might be room for a fourth (high-high) class even. > >> >>> There is a middle ground ignored which is bad. There >>> are organizations which can't be validated according to EV, they would >>> certainly benefit from it. >> >> For example? > > Anything out of this list: https://www.startssl.com/?app=30#requirements > > Self-employed and small business of different types and forms which are > legal businesses in many countries are exempt. Not speaking about > individuals which are out of the scope of EV. That's where the middle Class > comes in. > >> >>> Besides that, I believe there is also a need >>> for IV. From my experience there are many subscribers which don't need, >>> want or can do EV, but nevertheless want something more than DV. The >>> same is for the relying parties. >> >> You mean that want a price point in between DV and EV? :-) > > Yeah also. And why not? For many EV is an overkill, DV is too little and > many would provide attestation about their identity and organization (which > is way better than DV). I have been consistent in my view in this respect. > It comes from my day-to-day experience. > > Additionally, there are certain types of certificates (like wild cards) > which would benefit from higher validation too. Unfortunately EV disallows > wild cards, hence they are lumped together with the DV pool (and again, also > here with its maximum requirements CAs are willing to do for domain > validation). > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: start...@startcom.org > Blog: https://blog.startcom.org > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
