[cabfpub] downgrade DV UI RE: OIDs for DV and OV

Ryan Sleevi sleevi at google.com
Thu Nov 6 23:44:59 UTC 2014

On Thu, Nov 6, 2014 at 3:38 PM, Eddy Nigg <eddy_nigg at startcom.org> wrote:

> On 11/05/2014 05:50 PM, Gervase Markham wrote:
> Well, it looks like opinions differ on this, then :-) I remember the CAs
> arguing that browsers should do new UI for OV, but various other CAs
> proving quite how much some existing OV issuance processes sucked, and
> so we decided not to do that. So EV was started to provide an auditable
> standard everyone could agree on.
> Even though I was involved only on the sidelines at that time, I tend to
> agree with Jeremy that EV was understood to be an EXTENDED validation.
> Something that is truly very deep with strong requirements. At least that
> what I hope it is.
> One fact the browser vendors have to acknowledge is that there is a fairly
> small percentage having EV certificates, but for sites which are also
> fairly important (mostly).
> General OV and IV as defined today in the BR is - despite the lack of any
> UI benefits - still very strong and popular. And perhaps you should think
> about it why it's so persistent both with the CAs and the subscribers
> ordering it.
> --

At the risk of being exceptionally pessimistic, rather than my normal
moderately pessimistic, could it be perhaps because customers find TLS hard
precisely because of these arbitrary distinctions that do nothing for
security of UAs (again, same origin policy), and even LESS for automated
tools (S2S federations and the like?)

That is, there are plenty of customers who buy EV for their 'internal'
domains for internal servers, judging by the CAs who have commented against
CT. That's another thing that, from a security sense, makes no sense.
Especially when those EV certificates can cost many hundreds of dollars

Put differently, it's a logical fallacy to assume that because subscribers
buy OV that subscribers want OV, or that OV exists because subscribers want
OV. It's also clear that (several) browsers don't.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141106/b8fd5630/attachment-0003.html>

More information about the Public mailing list