<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 11/07/2014 02:02 AM, Ryan Sleevi
wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvYLEGe9+dEHDmBdDMMhWDUVQ27abWfpugD6ReWOiOFsgA@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra">I know I'm probably kicking a hornet's
nest here, but in the current world (and the past decade+ of
OV practices, even if not formalized), when would a subscriber
ever knowingly, intentionally choose OV?</div>
</div>
</blockquote>
<br>
I'm in favor to kick that nest a little bit, lets see if there is
still something alive in there :-)<br>
<br>
<blockquote
cite="mid:CACvaWvYLEGe9+dEHDmBdDMMhWDUVQ27abWfpugD6ReWOiOFsgA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>- Does it affect the security of your page as displayed
in browsers? No</div>
<div>- Does it affect the UI of browsers? No</div>
<div>- Does it prevent misissuance by other CAs? No</div>
<div>- Does it meet any form of regulatory requirements that
might require ticking that box? No</div>
</div>
</div>
</div>
</blockquote>
<br>
Does it reduce risk of intentional abuse? Yes<br>
Does it provide a trace to a real (legal) entity? Yes<br>
Does it provide additional information to the subscriber if
necessary? Yes (albeit carefully hidden by the browsers, to make it
difficult to reach)<br>
<br>
Or the other way around, why don't we just issue code signing
certificates to anyone able to validate an email address? Ask Tom.<br>
<br>
<blockquote
cite="mid:CACvaWvYLEGe9+dEHDmBdDMMhWDUVQ27abWfpugD6ReWOiOFsgA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">That is, I can not find a single
reason why any consumer would WANT to purchase OV, beyond
that they've been convinced (likely by a CA or reseller)
that they NEED it.</div>
</div>
</div>
</blockquote>
<br>
One reason I can give you is that either the CA doesn't issue any DV
certs or that the CA isn't willing to issue a certain type of
certificate without verification (of the entity). Or the subscriber
makes an informed decision deciding that he/she wants to have the
verified details in the certificate.<br>
<br>
<blockquote
cite="mid:CACvaWvYLEGe9+dEHDmBdDMMhWDUVQ27abWfpugD6ReWOiOFsgA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Consider the discussion upthread, where it was
suggested "OV should be the minimum for e-commerce".
Maybe, maybe not, but it isn't, but that seems to rely on
CAs thinking that subscribers are checking all the
certificate UIs to check that identity information, which
they don't (and on some platforms, <b>can't</b>).</div>
</div>
</div>
</div>
</blockquote>
<br>
No, the fact that there was a verification performed is already
reason - the details are in the certificates, even if the majority
will never see it.<br>
<br>
<blockquote
cite="mid:CACvaWvYLEGe9+dEHDmBdDMMhWDUVQ27abWfpugD6ReWOiOFsgA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>That said, as unrealistic is it is, I suspect some CAs
are expecting that, since nearly every CA I've seen often
words precisely that into their liability disclaimers -
that if the RP didn't check the UI, the RP has no standing
to make a claim against the CA.</div>
</div>
</div>
</div>
</blockquote>
<br>
I don't know about other CAs, but it's not a common requirement as
far as I know. Rather the relying party must check with a revocation
checking method (either OCSP or CRL).<br>
<br>
<blockquote
cite="mid:CACvaWvYLEGe9+dEHDmBdDMMhWDUVQ27abWfpugD6ReWOiOFsgA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>So, despite my antagonism towards OV, I'd love to know
why anyone would actively chose OV, and what <b>real</b> benefits
there are over DV for those that do.</div>
</div>
</div>
</div>
</blockquote>
<br>
It's always a question of risk - have I ever bought anything from a
site that had only a DV cert? I admit that I did, but I was willing
to take the risk for the particular service or product I wanted
because I probably wanted it more than I was afraid of loosing the
money or whatever. Would I take the same risk always? No, I wouldn't
if there is a better alternative or I probably wouldn't deal as much
on the net as I do.<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>