[cabfpub] downgrade DV UI RE: OIDs for DV and OV

陳立群 realsky at cht.com.tw
Tue Nov 4 13:52:24 UTC 2014

    I agree with Richard’s suggestion. Display the “domain ownership verified” for DV SSL certificate. Show the Website owner’s company or organization name in the address bar near the pad lock for an OV SSL certificate. Maybe a yellow line (or other color) or no line for an OV SSL certificate vs. green line of  an EV SSL certificate.


        DV SSL certificates are very easy and quickly to obtain, and provide little value than OV or EV SSL certificates. 


       Microsoft and Mozilla Root certificate program has asked  CAs issue DV or OV SSL certificates to be audited by CA/B forum SSL B.R. CA should submit the audit report to the Root Certificate Program and disclose the result to the public by maintain a seal each year.  We suggest Browsers should have the different UI for DV and OV SSL certificates.  


Li-Chun CHEN



Information & Communication Security Department

Data Communication Business   Group

Chunghwa Telecom Co. Ltd.

 <mailto:realsky at cht.com.tw> realsky at cht.com.tw




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Richard Wang
Sent: Tuesday, November 04, 2014 9:09 PM
To: Gervase Markham; Dean Coclin; public at cabforum.org
Subject: Re: [cabfpub] downgrade DV UI RE: OIDs for DV and OV


How about display “domain ownership verified” instead of “Identity verified”


And if can’t downgrade DV, then how about upgrade that display padlock and organization name near the padlock like EV, but the address bar still white, not green.


I think browser should have the different UI for DV and OV SSL.



Best Regards,




-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Tuesday, November 4, 2014 5:39 PM
To: Richard Wang; Dean Coclin; public at cabforum.org
Subject: Re: [cabfpub] downgrade DV UI RE: OIDs for DV and OV


On 04/11/14 01:52, Richard Wang wrote:

> I think we not only need to add DV and OV OID to end user certificate, 

> but also the browsers *should downgrade the DV UI* to tell users that 

> this site true identity is not verified!


I disagree with that as a blanket statement.


There are many Internet businesses which are known simply by their domain name. "match.com", and so on. For them, a DV certificate, which proves that the holder of the certificate owns match.com, has verified their identity to a degree which is often sufficient.


Clearly, this is not all you need in every case, but it's not true to say that "identity is not verified" for DV certificates. It depends what sort of identity verification an end user needs.


> Chrome display a GREEN padlock like OV and say “Identity verified”, is 

> this info correct?


It says that underneath a reprint of the domain name - which is the piece of identity which has been verified.


> All comments are welcome, I wish the DV SSL will die in the future 

> since the site identity is more important than encryption, spoof site 

> has SSL is no any good meaning and is more dangerous than no SSL.


DV is the only plausible route to the web being secure by default. It is not going to go away.




Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited.  Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141104/f620ae98/attachment-0003.html>

More information about the Public mailing list