[cabfpub] downgrade DV UI RE: OIDs for DV and OV

Eddy Nigg eddy_nigg at startcom.org
Thu Nov 6 16:53:38 MST 2014 

On 11/07/2014 01:44 AM, Ryan Sleevi wrote:
>
> At the risk of being exceptionally pessimistic, rather than my normal 
> moderately pessimistic, could it be perhaps because customers find TLS 
> hard precisely because of these arbitrary distinctions that do nothing 
> for security of UAs (again, same origin policy), and even LESS for 
> automated tools (S2S federations and the like?)
>
> That is, there are plenty of customers who buy EV for their 'internal' 
> domains for internal servers, judging by the CAs who have commented 
> against CT. That's another thing that, from a security sense, makes no 
> sense. Especially when those EV certificates can cost many hundreds of 
> dollars more.

Of course I can't comment on other CAs, but take into account that 
things are very different between what the various CAs offer for their 
customers and not everything is obvious just by browsing a few web sites.

> Put differently, it's a logical fallacy to assume that because 
> subscribers buy OV that subscribers want OV, or that OV exists because 
> subscribers want OV.

No, sometimes it's also a risk assessment where a CA is willing or not 
willing to issue a certificate with a domain control validation only - 
again also here differences exist.
And many times subscribers know exactly what they are doing and want 
their entity to be verified, but not EV (which they could if they want).
And sometimes I guess you are right, they enroll for something they 
think sounds good but might not be necessary. Or the other way around 
too (should do OV, but prefer DV).

-- 
Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141107/f82526cb/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20141107/f82526cb/attachment.bin

More information about the Public mailing list