[cabfpub] downgrade DV UI RE: OIDs for DV and OV

Wed Nov 5 14:01:17 UTC 2014

On 05/11/14 13:28, Sigbjørn Vik wrote:
> On 04-Nov-14 22:32, Eddy Nigg wrote:
>>
>> On 11/04/2014 03:09 PM, Richard Wang wrote:
>>>
>>> *How about display “domain ownership verified” instead of “Identity
>>> verified”*
>>
>> If at all it should be clearly "domain control validated" - that's what
>> it is, not more and also not less.
>
> UI is hard, if you have issues with the particular UI of a particular
> browser, you should file a bug report with that browser. However, in
> this case, I believe "Identity verified" is correct", and that "domain
> control validated" is incomprehensible incorrect gibberish :P

So ISTM that there's no consensus on what "Identity", "domain ownership" 
and "domain control" actually mean or (perhaps more importantly) what 
users will think they mean.

How about neatly sidestepping the issue by dropping these words from 
primary chrome?

In other words, I'm suggesting that Chrome could say...

http://www.no-cert.com
www.no-cert.com
Not verified

https://www.untrusted-cert.com
www.untrusted-cert.com
Not verified

https://www.dv-cert.com
www.dv-cert.com
Verified

https://www.ov-cert.com
www.ov-cert.com
Verified

https://www.ev-cert.com
Company Name
Verified

Less is more.  :-)

> The browser has verified that the site really is the site that is shown;
> the identity of the site has been verified. This is also what it shows
> to the user, so this is correct. If the address bar (and the text next
> to "Identity verified") says match.com, the user can be sure that the
> site shown really is match.com. The browser has not verified that the
> site belongs to or is controlled by any particular organization, nor
> does it state that, nor should it state that.
>
> "Domain" in English means "territory". Stating "Territory control
> verified" is incomprehensible gibberish, "domain" is only understandable
> to people who speak technobabble, which most users don't. The words in
> the UI refer to what the browser has done, not what some third party has
> done, and the browser has not validated any domain control, so stating
> that would additionally be incorrect. Hence "incomprehensible incorrect
> gibberish".
>
> For the record, Opera does not believe in any distinction between OV and
> DV, it is hard to see how this would aid users. EV is already available
> for those who care about identity. Personally, I am not even convinced
> about the DV/EV distinction in primary chrome, I believe it confuses as
> much as it aids, preferably I'd just show users a single "Secure/not
> secure" indicator, delegating anything else to secondary chrome. (If EV
> actually provided extra security over regular https - e.g. minimum
> TLSv1.1, then I might be convinced of the benefits, but that is a
> different discussion.)
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.