[cabfpub] downgrade DV UI RE: OIDs for DV and OV

Eddy Nigg eddy_nigg at startcom.org
Fri Nov 7 09:44:09 UTC 2014

On 11/07/2014 02:02 AM, Ryan Sleevi wrote:
> I know I'm probably kicking a hornet's nest here, but in the current 
> world (and the past decade+ of OV practices, even if not formalized), 
> when would a subscriber ever knowingly, intentionally choose OV?

I'm in favor to kick that nest a little bit, lets see if there is still 
something alive in there :-)

> - Does it affect the security of your page as displayed in browsers? No
> - Does it affect the UI of browsers? No
> - Does it prevent misissuance by other CAs? No
> - Does it meet any form of regulatory requirements that might require 
> ticking that box? No

Does it reduce risk of intentional abuse? Yes
Does it provide a trace to a real (legal) entity? Yes
Does it provide additional information to the subscriber if necessary? 
Yes (albeit carefully hidden by the browsers, to make it difficult to reach)

Or the other way around, why don't we just issue code signing 
certificates to anyone able to validate an email address? Ask Tom.

> That is, I can not find a single reason why any consumer would WANT to 
> purchase OV, beyond that they've been convinced (likely by a CA or 
> reseller) that they NEED it.

One reason I can give you is that either the CA doesn't issue any DV 
certs or that the CA isn't willing to issue a certain type of 
certificate without verification (of the entity). Or the subscriber 
makes an informed decision deciding that he/she wants to have the 
verified details in the certificate.

> Consider the discussion upthread, where it was suggested "OV should be 
> the minimum for e-commerce". Maybe, maybe not, but it isn't, but that 
> seems to rely on CAs thinking that subscribers are checking all the 
> certificate UIs to check that identity information, which they don't 
> (and on some platforms, *can't*).

No, the fact that there was a verification performed is already reason - 
the details are in the certificates, even if the majority will never see it.

> That said, as unrealistic is it is, I suspect some CAs are expecting 
> that, since nearly every CA I've seen often words precisely that into 
> their liability disclaimers - that if the RP didn't check the UI, the 
> RP has no standing to make a claim against the CA.

I don't know about other CAs, but it's not a common requirement as far 
as I know. Rather the relying party must check with a revocation 
checking method (either OCSP or CRL).

> So, despite my antagonism towards OV, I'd love to know why anyone 
> would actively chose OV, and what *real* benefits there are over DV 
> for those that do.

It's always a question of risk - have I ever bought anything from a site 
that had only a DV cert? I admit that I did, but I was willing to take 
the risk for the particular service or product I wanted because I 
probably wanted it more than I was afraid of loosing the money or 
whatever. Would I take the same risk always? No, I wouldn't if there is 
a better alternative or I probably wouldn't deal as much on the net as I do.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141107/72c51afc/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141107/72c51afc/attachment-0001.p7s>

More information about the Public mailing list