[cabfpub] a different UI for OV RE: downgrade DV UI RE: OIDs for DV and OV

Ryan Sleevi sleevi at google.com
Fri Nov 7 03:26:48 MST 2014


On Nov 7, 2014 2:21 AM, "Richard Wang" <richard at wosign.com> wrote:
>
> See below inline.
>
>
>
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Eddy Nigg
> Sent: Friday, November 7, 2014 5:44 PM
> To: CABFPub
> Subject: Re: [cabfpub] downgrade DV UI RE: OIDs for DV and OV
>
>
>
>> So, despite my antagonism towards OV, I'd love to know why anyone would
actively chose OV, and what real benefits there are over DV for those that
do.
>
>
> It's always a question of risk - have I ever bought anything from a site
that had only a DV cert? I admit that I did, but I was willing to take the
risk for the particular service or product I wanted because I probably
wanted it more than I was afraid of loosing the money or whatever. Would I
take the same risk always? No, I wouldn't if there is a better alternative
or I probably wouldn't deal as much on the net as I do.
>
> -------------
>
>
>
> For answer Ryan question: “why anyone would actively chose OV”, I just
checked that all browser venders (Google, Mozilla, Apple, Microsoft)
websites are using OV or EV, no one use DV,  why?
>
>

It would be a logical mistake to assume that these sites _chose_ OV, versus
were required to go through OV (e.g. for an enterprise intermediate or RA).

This doesn't answer the question I asked, though - independent of what
sites are using what certs, given what OV _is_, why would any subscriber
_want_ it.

>
> I have a real experience that I want to buy an air ticket to UK online,
then I search the Internet that I chose one that deployed SSL, I open the
certificate and check the subject O filed, compare its name to the website
said name, then I chose this site deployed OV SSL, not chose the DV SSL
site.  I do this check since I know how to check the subject, but I am sure
99.99% users don’t know how to check. So why the browser like to hide the
identity information so deep? How good if the browser display the verified
company name more easily like in the address bar!
>

Again, see the thread Chris Palmer mentioned earlier (and I provided
accessible links for you). This isn't happening, nor would it help like you
suppose, and would most likely harm.

A security scheme that relies on users checking - which, today, means doing
exactly what you say - is not a security scheme. And OV will always
inherently rely on users checking, even if browsers adopted the UI you
would like, which is why it is not a security scheme.

>
>
>
>
> Best Regards,
>
>
>
> Richard
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141107/3df6a291/attachment.html 


More information about the Public mailing list