A few amusing (lies, damned lies, and) statistics... Small business accounts for slightly more than 50% of the US gross domestic product (source: http://www.smallbusinessnotes.com/aboutsb/rs299.html). There were, in 2005 (latest year for which statistics are available), 6 million small employers (fewer than 500 employees) and 17.5 thousand large employers (500+ employees) in the United States (source: http://www.sba.gov/advo/research/profiles/08us.pdf)
I hope I don't have to point out the business merits of targeting something other than the 17.5k big fish with something more affordable. And that includes all of the nonprofits which don't have the budget for EV certification, but which need more than a domain validated certificate to be able to call attention to the fact that they are legitimate organizations. I do need to point out that because there's no differentiation in the user interface between identity-validated certificates, many businesses are opting for domain-validated certificates as a cost-cutting measure, and using them to secure e-commerce sites. And since EV targets essentially only the 17.5 thousand, it's not a stretch to realize that Mozilla (and the CA/B Forum) are putting a huge UI, technical, and marketing effort to ask the 17.5k large companies to pay more in order to protect their customers against phishing on... less than half of a percent of businesses. Phishing is by no means the only kind of fraud out there. Domains which have servers which are not secure pose a much bigger risk of fraud than the relatively tiny number of sites which are fat targets for phishers. Certificates cannot prevent fraud. They do not and cannot state anything at all about a given entity's business model (which can, and often does, change at the speed of thought). All they can do is identify who was supposed to have had control of the private key for the public key which was certified. -Kyle H On Thu, Jan 1, 2009 at 7:39 PM, Eddy Nigg <eddy_n...@startcom.org> wrote: > On 01/02/2009 04:38 AM, Kyle Hamilton: >> >> From what I can see, the general overall idea that Eddy is suggesting >> seems to be: >> >> Type 1: the person requesting the certificate has shown that they have >> some means of accessing things either in their mailbox or in the >> URI-space of the domain. (DV) >> Type 2: (currently nonexistent) non-EV-eligible entities, businesses >> which don't present a large enough attack surface to create a large >> economic impact were their site MITM-attacked, has provided and shown >> legal paperwork which backs up their assertions such that the CA is >> willing to certify their identity in the Subject field (essentially >> the initial requirements of Verisign/Thawte et al) >> Type 3: extended verification of identity and legal existence, all >> documents checked against their original sources, etc (EV) >> >> (These are NOT to be confused with "Class N" as currently used by >> Verisign et al.) >> >> Is this correct? Or am I misunderstanding? >> > > This is more or less correct. It's the middle ground which isn't covered > very well. It's what anything above webmail, forums and blogs, but less than > what is called "high profile brand". A small part time shop selling some > widgets are a good fit for this Class. Those are many times individuals or > small businesses. > > (BTW, the small businesses make up still an important part of the economy > usually) > > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: start...@startcom.org > Blog: https://blog.startcom.org > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
