[cabfpub] downgrade DV UI RE: OIDs for DV and OV

Gervase Markham gerv at mozilla.org
Wed Nov 5 14:40:17 UTC 2014

On 04/11/14 13:15, Gervase Markham wrote:
> On 04/11/14 13:09, Richard Wang wrote:
>> *I think browser should have the different UI for DV and OV SSL.*
> And Mozilla doesn't, I'm afraid. I'm not sure it's possible to reach
> agreement, given that fundamental difference of opinion.

It's been suggested that more elaboration might be helpful here. I have
no intent to be rude to Richard or to Li-Chun; I'm afraid that you have
joined in a debate which has been running for a decade, and always
follows the same pattern, so I'm afraid it's got me a little worn down :-)

Briefly, the important points are:

* The CAB Forum does not place normative requirements on browsers, and
it particularly does not do so regarding their user interface.

* Browsers would prefer it if the Internet only had one state - secure.
More states than that are sub-optimal, and the more states there are,
the worse it gets. So, browsers wish to minimise the number of available
states - because studies have consistently shown that users don't fully
understand the ones we have, let alone new ones.

* We already have 3 states - HTTP, DV and EV. They represent no
trustworthy identity validation, identity validation at the level of the
domain name, and identity validation at the level of the company. There
needs to be a very good reason to add more. "I charge customers a
different amount of money for this cert" is clearly not good enough on
its own.

* The entire point of creating EV was that OV issuing practices at the
time were inconsistent and unauditable. So EV was set out to create the
baseline for what browsers would accept as "good enough" to trust the
information to display in the UI. As it happens, AIUI, it turned out to
be significantly more than any CA was doing at the time. We still
believe that's it's the case that EV is the lowest level of validation
we'd trust to display the O field. If we came to feel that it's
acceptable to do less validation and still trust the result, we should
fix it by relaxing the requirements of EV, not be creating another state
in the UI.

* Defining OV in the BRs, which happened later, does not change the
above situation.


More information about the Public mailing list