<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>Hi Ryan,<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>You are right. The DV is for encryption only, not for identity. But OV is for encryption and identity, so it should have different UI.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>What I mean is that it is better that browser can tell end user the DV SSL is different from OV SSL, DV SSL is for secure only, not for identity. <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>This is why I think Chrome UI should display “</span>domain ownership verified<span style='font-family:"Calibri",sans-serif;color:#1F497D'>” instead of “</span>Identity verified<span style='font-family:"Calibri",sans-serif;color:#1F497D'>” since it is NOT correct that this DV deployed site </span>Identity is verified.<span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Best Regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Richard<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Tuesday, November 4, 2014 11:25 AM<br><b>To:</b> Richard Wang<br><b>Cc:</b> CABFPub; Dean Coclin<br><b>Subject:</b> Re: [cabfpub] downgrade DV UI RE: OIDs for DV and OV<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p><br>On Nov 3, 2014 5:54 PM, "Richard Wang" <<a href="mailto:richard@wosign.com">richard@wosign.com</a>> wrote:<br>><br>> Hi all,<br>><br>> <br>><br>> I think we not only need to add DV and OV OID to end user certificate, but also the browsers should downgrade the DV UI to tell users that this site true identity is not verified! SSL not just for encryption, but also for identity, identity is more important than secure in now cyber situation.<br>><br>> Currently, all browser treat DV UI same as OV, this is NOT acceptable:<br>><br>> Chrome display a GREEN padlock like OV and say “Identity verified”, is this info correct?<br>><br>> <br>><br>> I like the DV UI of Comodo Dragon browser, it display a problem padlock and say “domain ownership verified”, this is the correct information for end user, DV SSL only verified domain ownership, NOT the website identity!<br>><br>> <br>><br>> I wish all browsers can downgrade the DV UI like Comodo browser, this is very fair to OV SSL user and benefit end user, this will help end user to know this site true identity is not verified. Sure, the basis is the SSL certificate must have the DV OID for easy identification for browsers and third party.<br>><br>> <br>><br>> Currently, all spoof websites are using DV SSL to cheat end user this site has same padlock as OV SSL since the DV SSL is easy to get and cheap even free.<br>><br>> <br>><br>> All comments are welcome, I wish the DV SSL will die in the future since the site identity is more important than encryption, spoof site has SSL is no any good meaning and is more dangerous than no SSL.<br>><o:p></o:p></p><p>That is correct, because SSL is not an anti-spoofing mechanism, despite some marketing it as such. DV is the single most important mechanism for securing the internet, and desiring a world without DV is to ignore the significant - but perhaps commercially uninteresting - value it provides.<o:p></o:p></p><p>This is just the same conversation of having browsers recognize OV, which none of the main browser vendors have expressed any interest in doing (and indeed, have made clear remarks against). While unsurprising to see a browser from a CA doing this, you are unlikely to see it elsewhere.<o:p></o:p></p><p>> <br>><br>> <br>><br>> Best Regards,<br>><br>> <br>><br>> Richard<br>><br>> <br>><br>> From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>] On Behalf Of Dean Coclin<br>> Sent: Thursday, October 30, 2014 10:34 PM<br>> To: <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>> Subject: Re: [cabfpub] OIDs for DV and OV<br>><br>> <br>><br>><br>> _______________________________________________<br>> Public mailing list<br>> <a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>> <a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><br>><o:p></o:p></p></div></body></html>