[cabfpub] a different UI for OV RE: downgrade DV UI RE: OIDs for DV and OV

Richard Wang richard at wosign.com
Thu Nov 6 19:33:47 MST 2014


Let me answer your question since this topic is opened by me.

 

I engaged in CA industry for 10 years from reseller of GeoTrust, Thawte, VeriSign to my own brand CA that cooperated with Comodo and Startcom. I think we deal with more than 30,000 website owners to use SSL in the past 10 years.

 

For big company, bank, stock, fund, ecommerce website, they like to choose OV to display its name in the subject, not just display domain name. This is the truth. Sorry, Ryan, not same as you think. In China, website owner think the site true identity is more important than SSL secured, this is why there are so many website identity verification providers in China and so many trust logo in every website, but no SSL.

 

Since the DV SSL exist, same padlock display as OV SSL. This confused browser user that they don’t know what the difference between the two site: one with DV, another one with OV. This problem bring a big security problem that all fraudulent websites deployed DV SSL to cheat online consumers.

 

For example: the big bank in China is ICBC, its website is www.icbc.com.cn <http://www.icbc.com.cn> . At 2007, one of the fraudulent website is www.1cbc.com.cn <http://www.1cbc.com.cn>  (i changed to 1) that has a same padlock, same web pages, many e-banking users fell into this trap and lost money.

 

Just image: If the browser display different UI for OV like display padlock and the bank name, but display DV as “domain ownership verified only”. I am sure the user can easily find out this site is a fraudulent bank website.  

 

Luckily, EV come out (thanks to CAB Forum founders), and ICBC deployed EV SSL now. but I think OV SSL deployed amount is more than EV now, I still think browser should tell users the site true identity to protect them falling into the trap. 

 

I think site security not just SSL encrypted connection, but also identity fraud protection, I wish browsers can do it better.

 

 

Best Regards,

 

Richard

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Friday, November 7, 2014 8:03 AM
To: Eddy Nigg
Cc: public at cabforum.org
Subject: Re: [cabfpub] downgrade DV UI RE: OIDs for DV and OV

 

 

 

On Thu, Nov 6, 2014 at 3:53 PM, Eddy Nigg <eddy_nigg at startcom.org <mailto:eddy_nigg at startcom.org> > wrote:


No, sometimes it's also a risk assessment where a CA is willing or not willing to issue a certificate with a domain control validation only - again also here differences exist. 
And many times subscribers know exactly what they are doing and want their entity to be verified, but not EV (which they could if they want). 
And sometimes I guess you are right, they enroll for something they think sounds good but might not be necessary. Or the other way around too (should do OV, but prefer DV).

 

 

I know I'm probably kicking a hornet's nest here, but in the current world (and the past decade+ of OV practices, even if not formalized), when would a subscriber ever knowingly, intentionally choose OV?

 

- Does it affect the security of your page as displayed in browsers? No

- Does it affect the UI of browsers? No

- Does it prevent misissuance by other CAs? No

- Does it meet any form of regulatory requirements that might require ticking that box? No

 

I mean, in the world of OV today, even in a S2S federated case, you can't "pin" a certificate to say that you expect OV. MAYBE the CA has distinguished their DV vs OV intermediates, and you could pin to the OV-only intermediate, but that's not really any more security than just giving the CA an authorized list of Applicants and routing requests through them (and without the added hassle of pinning).

 

That is, I can not find a single reason why any consumer would WANT to purchase OV, beyond that they've been convinced (likely by a CA or reseller) that they NEED it.

 

Consider the discussion upthread, where it was suggested "OV should be the minimum for e-commerce". Maybe, maybe not, but it isn't, but that seems to rely on CAs thinking that subscribers are checking all the certificate UIs to check that identity information, which they don't (and on some platforms, can't).

 

That said, as unrealistic is it is, I suspect some CAs are expecting that, since nearly every CA I've seen often words precisely that into their liability disclaimers - that if the RP didn't check the UI, the RP has no standing to make a claim against the CA.

 

So, despite my antagonism towards OV, I'd love to know why anyone would actively chose OV, and what real benefits there are over DV for those that do.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141107/a0c359f0/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5075 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20141107/a0c359f0/attachment-0001.bin 


More information about the Public mailing list