[cabfpub] FW: downgrade DV UI RE: OIDs for DV and OV

Dean Coclin Dean_Coclin at symantec.com
Tue Nov 4 22:56:38 MST 2014 

Forwarding to the public list

-----Original Message-----
From: John Nagle [mailto:nagle at sitetruth.com] 
Sent: Wednesday, November 05, 2014 3:55 PM
To: public at cabforum.org
Cc: Richard Wang; Dean Coclin; Gervase Markham; eddy_nigg at startcom.org;
realsky at cht.com.tw; sleevi at google.com
Subject: Re: [cabfpub] downgrade DV UI RE: OIDs for DV and OV

    As a user of organization data in certificates, for the purpose of
answering the question "Who are you dealing with?", I have a few comments.
We use that data to match web sites with non-web business information
sources to find out more about the business behind the site, for site rating
purposes.

    The CA/Browser Forum has devoted considerable effort to establishing
three levels of certificates.  CAB calls them DV. OV, and EV; some European
CAs call them levels 1, 2, and 3; SwissSign uses the terms Silver, Gold, and
Platinum.  The levels generally correspond to "domain control validated",
"organization validated", and "organization more strongly validated".
That's useful information.
It tells whether the O, L, C, and OU fields can be trusted.

    That's the real issue. The exact mechanism is up to the CA/Browser
Forum.  Whatever is decided needs to be clearly documented to relying
parties.

    Again, the question for the relying party is "Who are am I connected
to?" That's the important thing to get right. Without that, CA certs are no
better than self-signed certs.

Re: "For the majority of consumers though, do you think it's sufficient to
know that they are connected to "match.com"? I would think it would be
better for them to know that they are connected to "Match.com, Inc"."
(Coclin, Symantec)

Agreed.  Especially with the name games that can be played with all those
new TLDs.  There are now over a thousand domain suffixes.
(The list: "https://publicsuffix.org/list/effective_tld_names.dat")

Re: "And I still think the website identity is more important than security,
if a bank spoof site has a DV SSL that display the same UI with OV SSL, then
it is more dangerous than no SSL. This is why so many website identity
providers to prove the site true identity than SSL deployment in China."
(Wang, Wosign)

Agreed.  It's very easy to get a DV cert. All you need is the ability to
receive (or intercept) mail at the domain of interest.

			John Nagle
			SiteTruth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6130 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20141104/55a00787/attachment.bin

More information about the Public mailing list