[cabfpub] a different UI for OV RE: downgrade DV UI RE: OIDs for DV and OV

Ryan Sleevi sleevi at google.com
Thu Nov 6 19:57:34 MST 2014


On Nov 6, 2014 6:35 PM, "Richard Wang" <richard at wosign.com> wrote:
>
> Let me answer your question since this topic is opened by me.
>
>
>
> I engaged in CA industry for 10 years from reseller of GeoTrust, Thawte,
VeriSign to my own brand CA that cooperated with Comodo and Startcom. I
think we deal with more than 30,000 website owners to use SSL in the past
10 years.
>
>
>
> For big company, bank, stock, fund, ecommerce website, they like to
choose OV to display its name in the subject, not just display domain name.
This is the truth. Sorry, Ryan, not same as you think. In China, website
owner think the site true identity is more important than SSL secured, this
is why there are so many website identity verification providers in China
and so many trust logo in every website, but no SSL.
>

Why does it matter what they want, if that's not what they get? My point is
that no browser does this today, so no customer has ever legitimately
purchased a certificate expecting this, so its irrelevant to explaining the
motivations of OV today.

>
>
> Since the DV SSL exist, same padlock display as OV SSL. This confused
browser user that they don’t know what the difference between the two site:
one with DV, another one with OV. This problem bring a big security problem
that all fraudulent websites deployed DV SSL to cheat online consumers.
>
>

1) The vast body of evidence does not support your claim that it confuses
the browser user. The demonstrable evidence is just the opposite - they are
already confused by EV vs DV, so introducing OV is understandably worse.

2) Your comment regarding cheating users with DV lacks any relevance here.
Phishing sites succeed exceptionally well in cheating users via HTTP.

>
> For example: the big bank in China is ICBC, its website is www.icbc.com.cn.
At 2007, one of the fraudulent website is www.1cbc.com.cn (i changed to 1)
that has a same padlock, same web pages, many e-banking users fell into
this trap and lost money.
>
>

And this could have succeeded via EV as well, given the current criteria,
and with such a certificate, would have degraded to the same root issue in
2007 - relying on users to check the URL bar, which we know they didn't,
and which we still know today that they don't.

>
> Just image: If the browser display different UI for OV like display
padlock and the bank name, but display DV as “domain ownership verified
only”. I am sure the user can easily find out this site is a fraudulent
bank website.
>
>

The evidence and studies do not support your confidence in any meaningful
way, and in fact suggest it would make things worse.

>
> Luckily, EV come out (thanks to CAB Forum founders), and ICBC deployed EV
SSL now. but I think OV SSL deployed amount is more than EV now, I still
think browser should tell users the site true identity to protect them
falling into the trap.
>
>
>
> I think site security not just SSL encrypted connection, but also
identity fraud protection, I wish browsers can do it better.
>

Respectfully, I disagree there.

The domain validation can be programmatically checked. The ID validation
cannot.

Given how many CAs have passed BR and EV audits and egregious fail in
following their CPS or RFC5280, I also have little confidence in the
identity vetting part. This is yet another place that CT will help in
revealing how widespread these failures are.

Regardless, your scheme and proposal are entirely dependent upon training
users to recognize some special UO, and shaming them when they don't. We
know the evidence is that they don't do this for EV, we know that EV does
not provide any form of a security boundary, so why would we expect that OV
would be any better for users?

As Gerv mentioned, we've had this conversation for years, although I
realize this may be the first time participating in it. I realize my
answers are a bit short, but it's because we have explained time and time
again why EV itself fails, and why OV is neither better for the users or
with respect to issuance. Solving phishing is an important problem, but I
don't believe that CAs can reasonably offer help here. Solving fraud is
definitely something I don't believe CAs can help with here. This is simply
because it does not boil into something technically enforceable, and at
this point in time, that is the only way to solve it.

Any scheme that relies on user UI is not something we'd back. If EV were
presented today, it's likely not something we'd back. DV is hugely valuable
and key to a Internet of secure communications. OV isn't, nor is it a
player in solving phishing or fraud.

>
>
>
>
> Best Regards,
>
>
>
> Richard
>
>
>
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ryan Sleevi
> Sent: Friday, November 7, 2014 8:03 AM
> To: Eddy Nigg
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] downgrade DV UI RE: OIDs for DV and OV
>
>
>
>
>
>
>
> On Thu, Nov 6, 2014 at 3:53 PM, Eddy Nigg <eddy_nigg at startcom.org> wrote:
>>
>>
>> No, sometimes it's also a risk assessment where a CA is willing or not
willing to issue a certificate with a domain control validation only -
again also here differences exist.
>> And many times subscribers know exactly what they are doing and want
their entity to be verified, but not EV (which they could if they want).
>> And sometimes I guess you are right, they enroll for something they
think sounds good but might not be necessary. Or the other way around too
(should do OV, but prefer DV).
>>
>>
>
>
>
> I know I'm probably kicking a hornet's nest here, but in the current
world (and the past decade+ of OV practices, even if not formalized), when
would a subscriber ever knowingly, intentionally choose OV?
>
>
>
> - Does it affect the security of your page as displayed in browsers? No
>
> - Does it affect the UI of browsers? No
>
> - Does it prevent misissuance by other CAs? No
>
> - Does it meet any form of regulatory requirements that might require
ticking that box? No
>
>
>
> I mean, in the world of OV today, even in a S2S federated case, you can't
"pin" a certificate to say that you expect OV. MAYBE the CA has
distinguished their DV vs OV intermediates, and you could pin to the
OV-only intermediate, but that's not really any more security than just
giving the CA an authorized list of Applicants and routing requests through
them (and without the added hassle of pinning).
>
>
>
> That is, I can not find a single reason why any consumer would WANT to
purchase OV, beyond that they've been convinced (likely by a CA or
reseller) that they NEED it.
>
>
>
> Consider the discussion upthread, where it was suggested "OV should be
the minimum for e-commerce". Maybe, maybe not, but it isn't, but that seems
to rely on CAs thinking that subscribers are checking all the certificate
UIs to check that identity information, which they don't (and on some
platforms, can't).
>
>
>
> That said, as unrealistic is it is, I suspect some CAs are expecting
that, since nearly every CA I've seen often words precisely that into their
liability disclaimers - that if the RP didn't check the UI, the RP has no
standing to make a claim against the CA.
>
>
>
> So, despite my antagonism towards OV, I'd love to know why anyone would
actively chose OV, and what real benefits there are over DV for those that
do.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141106/fe1aa129/attachment.html 


More information about the Public mailing list