[cabfpub] downgrade DV UI RE: OIDs for DV and OV

Ryan Sleevi sleevi at google.com
Fri Nov 7 00:02:46 UTC 2014

On Thu, Nov 6, 2014 at 3:53 PM, Eddy Nigg <eddy_nigg at startcom.org> wrote:
> No, sometimes it's also a risk assessment where a CA is willing or not
> willing to issue a certificate with a domain control validation only -
> again also here differences exist.
> And many times subscribers know exactly what they are doing and want their
> entity to be verified, but not EV (which they could if they want).
> And sometimes I guess you are right, they enroll for something they think
> sounds good but might not be necessary. Or the other way around too (should
> do OV, but prefer DV).
I know I'm probably kicking a hornet's nest here, but in the current world
(and the past decade+ of OV practices, even if not formalized), when would
a subscriber ever knowingly, intentionally choose OV?

- Does it affect the security of your page as displayed in browsers? No
- Does it affect the UI of browsers? No
- Does it prevent misissuance by other CAs? No
- Does it meet any form of regulatory requirements that might require
ticking that box? No

I mean, in the world of OV today, even in a S2S federated case, you can't
"pin" a certificate to say that you expect OV. MAYBE the CA has
distinguished their DV vs OV intermediates, and you could pin to the
OV-only intermediate, but that's not really any more security than just
giving the CA an authorized list of Applicants and routing requests through
them (and without the added hassle of pinning).

That is, I can not find a single reason why any consumer would WANT to
purchase OV, beyond that they've been convinced (likely by a CA or
reseller) that they NEED it.

Consider the discussion upthread, where it was suggested "OV should be the
minimum for e-commerce". Maybe, maybe not, but it isn't, but that seems to
rely on CAs thinking that subscribers are checking all the certificate UIs
to check that identity information, which they don't (and on some
platforms, *can't*).

That said, as unrealistic is it is, I suspect some CAs are expecting that,
since nearly every CA I've seen often words precisely that into their
liability disclaimers - that if the RP didn't check the UI, the RP has no
standing to make a claim against the CA.

So, despite my antagonism towards OV, I'd love to know why anyone would
actively chose OV, and what *real* benefits there are over DV for those
that do.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141106/c80cdb7a/attachment-0003.html>

More information about the Public mailing list