[cabfpub] downgrade DV UI RE: OIDs for DV and OV

Jeremy Rowley jeremy.rowley at digicert.com
Wed Nov 5 14:48:24 UTC 2014

That wasn't the point of creating EV. From the beginning, EV was intended to reach only the largest companies on the internet.  It was designed at the request of Microsoft and banks to be a premiere indicator of identity.  EV was never intended to impact OV issuance.  


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Wednesday, November 5, 2014 7:40 AM
To: Richard Wang; Dean Coclin; public at cabforum.org
Subject: Re: [cabfpub] downgrade DV UI RE: OIDs for DV and OV

On 04/11/14 13:15, Gervase Markham wrote:
> On 04/11/14 13:09, Richard Wang wrote:
>> *I think browser should have the different UI for DV and OV SSL.*
> And Mozilla doesn't, I'm afraid. I'm not sure it's possible to reach 
> agreement, given that fundamental difference of opinion.

It's been suggested that more elaboration might be helpful here. I have no intent to be rude to Richard or to Li-Chun; I'm afraid that you have joined in a debate which has been running for a decade, and always follows the same pattern, so I'm afraid it's got me a little worn down :-)

Briefly, the important points are:

* The CAB Forum does not place normative requirements on browsers, and it particularly does not do so regarding their user interface.

* Browsers would prefer it if the Internet only had one state - secure.
More states than that are sub-optimal, and the more states there are, the worse it gets. So, browsers wish to minimise the number of available states - because studies have consistently shown that users don't fully understand the ones we have, let alone new ones.

* We already have 3 states - HTTP, DV and EV. They represent no trustworthy identity validation, identity validation at the level of the domain name, and identity validation at the level of the company. There needs to be a very good reason to add more. "I charge customers a different amount of money for this cert" is clearly not good enough on its own.

* The entire point of creating EV was that OV issuing practices at the time were inconsistent and unauditable. So EV was set out to create the baseline for what browsers would accept as "good enough" to trust the information to display in the UI. As it happens, AIUI, it turned out to be significantly more than any CA was doing at the time. We still believe that's it's the case that EV is the lowest level of validation we'd trust to display the O field. If we came to feel that it's acceptable to do less validation and still trust the result, we should fix it by relaxing the requirements of EV, not be creating another state in the UI.

* Defining OV in the BRs, which happened later, does not change the above situation.

Public mailing list
Public at cabforum.org

More information about the Public mailing list