[cabfpub] downgrade DV UI RE: OIDs for DV and OV

Richard Wang richard at wosign.com
Tue Nov 4 03:45:18 UTC 2014 

Hi Ryan,

 

You are right. The DV is for encryption only, not for identity. But OV is for encryption and identity, so it should have different UI.

 

What I mean is that it is better that browser can tell end user the DV SSL is different from OV SSL, DV SSL is for secure only, not for identity. 

 

This is why I think Chrome UI should display “domain ownership verified” instead of “Identity verified” since it is NOT correct that this DV deployed site Identity is verified.

 

 

Best Regards,

 

Richard

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Tuesday, November 4, 2014 11:25 AM
To: Richard Wang
Cc: CABFPub; Dean Coclin
Subject: Re: [cabfpub] downgrade DV UI RE: OIDs for DV and OV

 


On Nov 3, 2014 5:54 PM, "Richard Wang" <richard at wosign.com <mailto:richard at wosign.com> > wrote:
>
> Hi all,
>
>  
>
> I think we not only need to add DV and OV OID to end user certificate, but also the browsers should downgrade the DV UI to tell users that this site true identity is not verified! SSL not just for encryption, but also for identity, identity is more important than secure in now cyber situation.
>
> Currently, all browser treat DV UI same as OV, this is NOT acceptable:
>
> Chrome display a GREEN padlock like OV and say “Identity verified”, is this info correct?
>
>  
>
> I like the DV UI of Comodo Dragon browser, it display a problem padlock and say “domain ownership verified”, this is the correct information for end user, DV SSL only verified domain ownership, NOT the website identity!
>
>  
>
> I wish all browsers can downgrade the DV UI like Comodo browser, this is very fair to OV SSL user and benefit end user, this will help end user to know this site true identity is not verified.  Sure, the basis is the SSL certificate must have the DV OID for easy identification for browsers and third party.
>
>  
>
> Currently, all spoof websites are using DV SSL to cheat end user this site has same padlock as OV SSL since the DV SSL is easy to get and cheap even free.
>
>  
>
> All comments are welcome, I wish the DV SSL will die in the future since the site identity is more important than encryption, spoof site has SSL is no any good meaning and is more dangerous than no SSL.
>

That is correct, because SSL is not an anti-spoofing mechanism, despite some marketing it as such. DV is the single most important mechanism for securing the internet, and desiring a world without DV is to ignore the significant - but perhaps commercially uninteresting - value it provides.

This is just the same conversation of having browsers recognize OV, which none of the main browser vendors have expressed any interest in doing (and indeed, have made clear remarks against). While unsurprising to see a browser from a CA doing this, you are unlikely to see it elsewhere.

>  
>
>  
>
> Best Regards,
>
>  
>
> Richard
>
>  
>
> From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>  [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> ] On Behalf Of Dean Coclin
> Sent: Thursday, October 30, 2014 10:34 PM
> To: public at cabforum.org <mailto:public at cabforum.org> 
> Subject: Re: [cabfpub] OIDs for DV and OV
>
>  
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org> 
> https://cabforum.org/mailman/listinfo/public
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141104/b2220cab/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5075 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141104/b2220cab/attachment-0001.p7s>

More information about the Public mailing list