On 03/27/2009 06:48 AM, Kyle Hamilton:
My thought was designed to reduce the barrier to entry to the
CA-managed PKI. (Class 0: no verification performed, SSC. Class 1:
CA has verified that the holder of the private key that corresponds to
the public key in the certificate can read emails sent to the email
address. Eddy, what are the definitions of Class 2 and Class 3 that
Startcom applies, as relate to its S/MIME offerings?)
_Legend:_
* Class 1 certificates provide modest assurances, mainly that the
domain name belongs to the owner of the respective server address,
resp. mail address. This certificates however provide no proof of
the identity of the subscriber. The details may still be valid,
but are not verified!
* Class 2 certificates provide medium assurances about the
subscriber's identity, in relation to Class 1 and subscribers of
Class 2 certificates have to proof their identity by various means.
* Class 3 certificates provide a high level of assurance about the
identity of the subscriber in comparison with Class 1 and 2 and
are issued only to entities or individuals which the StartCom
Certification Authority knows without any doubt or were validated
during a face-to-face meeting.
* Extended Validation certificates provide a high level of assurance
about the identity of the subscriber and certificates are verified
and issued according to the Extended Validation guidelines as
published by the CA/Browser Forum.
<http://www.cabforum.org/documents.html>
Adjust the above legend to email addresses instead of domain names.
By the way, I'm *absolutely disgusted* by seeing the CN field be
"Startcom Free Certificate Member".
Perhaps you haven't used S/MIME certs from other providers then.... :-)
But of course it's clearly aimed at getting the subscriber to validate
his identity. It's signaling that this certificate has no other
validated attributes. Performing the validation serves a dual purpose
here. First of all we believe that validated identities may solve one of
the problems of in-authenticity on the Internet and we are clearly
promoting it, second it serves a business purpose (which is opt-in) and
which nobody denies.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
