<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
p.a, li.a, div.a
{mso-style-name:纯文本;
mso-style-link:"纯文本 Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.Char
{mso-style-name:"纯文本 Char";
mso-style-priority:99;
mso-style-link:纯文本;
font-family:"Calibri","sans-serif";}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">A few comments. First, if a bank is using anything other than EV, they shouldn’t be a bank.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">You can’t really split out the security provided by identity verification from the security provided by protection against eavesdropping into two separate things. If you have identity verification without encryption,
there can be no private information transmitted (which is usually pretty useless), and if you have encryption without identity verification, things are even worse, since there can be arbitrarily many “men in the middle”. TLS is an authenticated encryption
protocol.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">DV has uses beyond just its encryption function. Remember, DNS is not a trustworthy protocol. If you are talking to
<a href="http://something.example.com">http://something.example.com</a>, you don’t even know the information came from something.example.com, or even any machine owned, authorized, or administered by the owner of example.com. It could even be coming from 127.0.0.127.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">If you are talking to <a href="https://something.example.com">
https://something.example.com</a>, you know (with low confidence …) the information is coming from a machine administered by the owner of example.com. That’s certainly a big improvement over bare http; in fact I’d argue it’s getting close to time for bare
http to just go away in many use cases. It’s perfectly appropriate for, for example, reading articles or information posted by a small organization that owns a domain and little else. That it actually comes from the domain owner is all I really care about.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">In my opinion, EV, OV, and DV all have their uses in certain scenarios. The fact that some people refuse to acknowledge use cases that are not important for their company or product(s) is not helpful. And it
should be easy to tell the intended use or uses of a certificate just by looking at the certificate. I support any and all proposals to move things in that direction over time.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Richard Wang<br>
<b>Sent:</b> Tuesday, November 04, 2014 10:54 PM<br>
<b>To:</b> Dean Coclin; Gervase Markham; public@cabforum.org<br>
<b>Subject:</b> Re: [cabfpub] downgrade DV UI RE: OIDs for DV and OV<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoPlainText">I withdraw the word "DV should go away" since it has encryption function for those sites that can't provide identity documents. But I still think the browser should identify the difference of DV SSL and OV SSL, tell end user clearly.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I agree Eddy said: it should be clearly "domain control validated" - that's what it is,
<b>not more and also not less</b>.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">And I agree Dean opinion that " DV is NOT sufficient use case for the majority of Internet e-commerce".
<o:p></o:p></p>
<p class="MsoPlainText"> <o:p></o:p></p>
<p class="MsoPlainText">And I still think the website identity is more important than security, if a bank spoof site has a DV SSL that display the same UI with OV SSL, then it is more dangerous than no SSL. This is why so many website identity providers to
prove the site true identity than SSL deployment in China.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Welcome other CAs speak out your opinion for this topic, thanks.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Best Regards,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Richard<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<o:p></o:p></p>
<p class="MsoPlainText">From: Dean Coclin [<a href="mailto:Dean_Coclin@symantec.com">mailto:Dean_Coclin@symantec.com</a>]
<o:p></o:p></p>
<p class="MsoPlainText">Sent: Wednesday, November 5, 2014 10:07 AM<o:p></o:p></p>
<p class="MsoPlainText">To: Gervase Markham; Richard Wang; <a href="mailto:public@cabforum.org">
public@cabforum.org</a><o:p></o:p></p>
<p class="MsoPlainText">Subject: RE: [cabfpub] downgrade DV UI RE: OIDs for DV and OV<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I also disagree with that blanket statement, especially the word "downgrade". There are many legitimate uses for DV certs and that shouldn't be diminished or "downgraded". I agree with Gerv that DV should not "go away"<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">For the majority of consumers though, do you think it's sufficient to know that they are connected to "match.com"? I would think it would be better for them to know that they are connected to "Match.com, Inc". More specifically, is DV
a sufficient use case for the majority of Internet e-commerce? <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<o:p></o:p></p>
<p class="MsoPlainText">From: Gervase Markham [<a href="mailto:gerv@mozilla.org">mailto:gerv@mozilla.org</a>]
<o:p></o:p></p>
<p class="MsoPlainText">Sent: Tuesday, November 04, 2014 8:39 PM<o:p></o:p></p>
<p class="MsoPlainText">To: Richard Wang; Dean Coclin; <a href="mailto:public@cabforum.org">
public@cabforum.org</a><o:p></o:p></p>
<p class="MsoPlainText">Subject: Re: [cabfpub] downgrade DV UI RE: OIDs for DV and OV<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On 04/11/14 01:52, Richard Wang wrote:<o:p></o:p></p>
<p class="MsoPlainText">> I think we not only need to add DV and OV OID to end user certificate,
<o:p></o:p></p>
<p class="MsoPlainText">> but also the browsers *should downgrade the DV UI* to tell users that
<o:p></o:p></p>
<p class="MsoPlainText">> this site true identity is not verified!<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I disagree with that as a blanket statement.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">There are many Internet businesses which are known simply by their domain name. "match.com", and so on. For them, a DV certificate, which proves that the holder of the certificate owns
<a href="http://scanmail.trustwave.com/?c=4062&d=xJ_Z1H2thi_aV6bTok68LPmE09Nf15ZRM5VL6cBO3Q&s=5&u=http%3a%2f%2fmatch%2ecom">
match.com,</a> has verified their identity to a degree which is often sufficient.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Clearly, this is not all you need in every case, but it's not true to say that "identity is not verified" for DV certificates. It depends what sort of identity verification an end user needs.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> Chrome display a GREEN padlock like OV and say “Identity verified”, is
<o:p></o:p></p>
<p class="MsoPlainText">> this info correct?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">It says that underneath a reprint of the domain name - which is the piece of identity which has been verified.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> All comments are welcome, I wish the DV SSL will die in the future
<o:p></o:p></p>
<p class="MsoPlainText">> since the site identity is more important than encryption, spoof site
<o:p></o:p></p>
<p class="MsoPlainText">> has SSL is no any good meaning and is more dangerous than no SSL.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">DV is the only plausible route to the web being secure by default. It is not going to go away.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Gerv<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information
contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.<br>
</font>
</body>
</html>