<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 6, 2014 at 3:53 PM, Eddy Nigg <span dir="ltr"><<a href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><span class="">
<br></span>
No, sometimes it's also a risk assessment where a CA is willing or
not willing to issue a certificate with a domain control validation
only - again also here differences exist. <br>
And many times subscribers know exactly what they are doing and want
their entity to be verified, but not EV (which they could if they
want). <br>
And sometimes I guess you are right, they enroll for something they
think sounds good but might not be necessary. Or the other way
around too (should do OV, but prefer DV).<span class=""><br><div><br></div></span></div></blockquote><div><br></div><div>I know I'm probably kicking a hornet's nest here, but in the current world (and the past decade+ of OV practices, even if not formalized), when would a subscriber ever knowingly, intentionally choose OV?</div><div><br></div><div>- Does it affect the security of your page as displayed in browsers? No</div><div>- Does it affect the UI of browsers? No</div><div>- Does it prevent misissuance by other CAs? No</div><div>- Does it meet any form of regulatory requirements that might require ticking that box? No</div><div><br></div><div>I mean, in the world of OV today, even in a S2S federated case, you can't "pin" a certificate to say that you expect OV. MAYBE the CA has distinguished their DV vs OV intermediates, and you could pin to the OV-only intermediate, but that's not really any more security than just giving the CA an authorized list of Applicants and routing requests through them (and without the added hassle of pinning).</div><div><br></div><div>That is, I can not find a single reason why any consumer would WANT to purchase OV, beyond that they've been convinced (likely by a CA or reseller) that they NEED it.</div><div><br></div><div>Consider the discussion upthread, where it was suggested "OV should be the minimum for e-commerce". Maybe, maybe not, but it isn't, but that seems to rely on CAs thinking that subscribers are checking all the certificate UIs to check that identity information, which they don't (and on some platforms, <b>can't</b>).</div><div><br></div><div>That said, as unrealistic is it is, I suspect some CAs are expecting that, since nearly every CA I've seen often words precisely that into their liability disclaimers - that if the RP didn't check the UI, the RP has no standing to make a claim against the CA.</div><div><br></div><div>So, despite my antagonism towards OV, I'd love to know why anyone would actively chose OV, and what <b>real</b> benefits there are over DV for those that do.</div></div></div></div>