<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle18
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>Let me answer your question since this topic is opened by me.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>I engaged in CA industry for 10 years from reseller of GeoTrust, Thawte, VeriSign to my own brand CA that cooperated with Comodo and Startcom. I think we deal with more than 30,000 website owners to use SSL in the past 10 years.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>For big company, bank, stock, fund, ecommerce website, they like to choose OV to display its name in the subject, not just display domain name. This is the truth. Sorry, Ryan, not same as you think. In China, website owner think the site true identity is more important than SSL secured, this is why there are so many website identity verification providers in China and so many trust logo in every website, but no SSL.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>Since the DV SSL exist, same padlock display as OV SSL. This confused browser user that they don’t know what the difference between the two site: one with DV, another one with OV. This problem bring a big security problem that all fraudulent websites deployed DV SSL to cheat online consumers.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>For example: the big bank in China is ICBC, its website is <a href="http://www.icbc.com.cn">www.icbc.com.cn</a></span><span style='font-family:"Calibri",sans-serif'>. <span style='color:#1F497D'>At 2007</span>, <span style='color:#1F497D'>one of the fraudulent website is <a href="http://www.1cbc.com.cn">www.1cbc.com.cn</a> </span><b><span style='color:red'>(i changed to 1)</span></b><span style='color:red'> </span><span style='color:#1F497D'>that has a same padlock, same web pages, many e-banking users fell into this trap and lost money.<o:p></o:p></span></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>Just image: If the browser display different UI for OV like display padlock and the bank name, but display DV as “domain ownership verified only”. I am sure the user can easily find out this site is a fraudulent bank website. <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>Luckily, EV come out (thanks to CAB Forum founders), and ICBC deployed EV SSL now. but I think OV SSL deployed amount is more than EV now, I still think browser should tell users the site true identity to protect them falling into the trap. <o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'>I think site security not just SSL encrypted connection, but also identity fraud protection, I wish browsers can do it better.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Best Regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Richard<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Ryan Sleevi<br><b>Sent:</b> Friday, November 7, 2014 8:03 AM<br><b>To:</b> Eddy Nigg<br><b>Cc:</b> public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] downgrade DV UI RE: OIDs for DV and OV<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Nov 6, 2014 at 3:53 PM, Eddy Nigg <<a href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><p class=MsoNormal><br>No, sometimes it's also a risk assessment where a CA is willing or not willing to issue a certificate with a domain control validation only - again also here differences exist. <br>And many times subscribers know exactly what they are doing and want their entity to be verified, but not EV (which they could if they want). <br>And sometimes I guess you are right, they enroll for something they think sounds good but might not be necessary. Or the other way around too (should do OV, but prefer DV).<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I know I'm probably kicking a hornet's nest here, but in the current world (and the past decade+ of OV practices, even if not formalized), when would a subscriber ever knowingly, intentionally choose OV?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- Does it affect the security of your page as displayed in browsers? No<o:p></o:p></p></div><div><p class=MsoNormal>- Does it affect the UI of browsers? No<o:p></o:p></p></div><div><p class=MsoNormal>- Does it prevent misissuance by other CAs? No<o:p></o:p></p></div><div><p class=MsoNormal>- Does it meet any form of regulatory requirements that might require ticking that box? No<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I mean, in the world of OV today, even in a S2S federated case, you can't "pin" a certificate to say that you expect OV. MAYBE the CA has distinguished their DV vs OV intermediates, and you could pin to the OV-only intermediate, but that's not really any more security than just giving the CA an authorized list of Applicants and routing requests through them (and without the added hassle of pinning).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>That is, I can not find a single reason why any consumer would WANT to purchase OV, beyond that they've been convinced (likely by a CA or reseller) that they NEED it.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Consider the discussion upthread, where it was suggested "OV should be the minimum for e-commerce". Maybe, maybe not, but it isn't, but that seems to rely on CAs thinking that subscribers are checking all the certificate UIs to check that identity information, which they don't (and on some platforms, <b>can't</b>).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>That said, as unrealistic is it is, I suspect some CAs are expecting that, since nearly every CA I've seen often words precisely that into their liability disclaimers - that if the RP didn't check the UI, the RP has no standing to make a claim against the CA.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>So, despite my antagonism towards OV, I'd love to know why anyone would actively chose OV, and what <b>real</b> benefits there are over DV for those that do.<o:p></o:p></p></div></div></div></div></div></body></html>