Re: PositiveSSL is not valid for browsers

Mon, 05 Jan 2009 11:28:30 -0800 

On 3/1/09 23:05, Gervase Markham wrote:

Eddy Nigg wrote:

For example?

Anything out of this list: https://www.startssl.com/?app=30#requirements


You want us to make a IV certificate which can be issued to businesses
without "verifiable physical existence and business presence"?


You mean that want a price point in between DV and EV? :-)

Yeah also. And why not? For many EV is an overkill,


But it's not for their benefit they are getting that level of vetting,
it's for the benefit of their customers.




Um.  Are CAs competent to understand and provide and measure for the 
benefit of their subscriber's customers?  Do they even have 
communication with their subsciber's customers?




Let's put it another way: how do we explain the difference between EV
and this new level to consumers? "You can do transactions up to $X if
there's an EV cert, but only $X / 10 if it's a NewV cert?" Who's going
to pay attention to that?




OK, so we have a discussion that launches into several different models 
of what CAs might do:  vetting on identity, or on physical presence, and 
coverage for transactions of different sizes.



Which of the two do consumers want?  Did anyone ask them?  (The answer 
is almost certainly not.  We know as a more or less accepted fact that 
the design of secure browsing was for Credit Cards, and the benefit 
there is solely for CC vendors, not consumers, because the consumers are 
already covered by the $50 liability limit.  They never had any real 
concern whatsoever that anyone was reading their cc numbers.)



Which is to say;  any model of protection in this area is very difficult 
to justify.  We have what we have.  Whether it is any use or whether it 
is balanced or economic is ... tough to show.



How do we solve this problem?  Classically, the market bumbles around 
until a product takes off.  In this view, the notion of doing an EV, 
then an IV, and finally a DV is cool.  Each will work, or fail.  Either 
way, we, the market will learn something.



What we will never learn from is not trying anything, which is what we 
learnt for most of the history of PKI.  If there is something good out 
of EV it is that we can do this, we can organise and make a change. 
Even a bad change is better than no change.





iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





























					Reply via email to