[cabfpub] downgrade DV UI RE: OIDs for DV and OV
Eddy Nigg
eddy_nigg at startcom.org
Sun Nov 9 09:41:49 UTC 2014
On 11/07/2014 11:49 AM, Gervase Markham wrote:
> On 07/11/14 09:44, Eddy Nigg wrote:
>> Does it reduce risk of intentional abuse? Yes
> You need to be more specific on how you think it reduces the risk.
The subscriber knows that the CA has XYZ details about it, probably
entered a formal agreement and the personal or entity details are
displayed in the certificate. Even if he/she wouldn't care, a relying
party could use this data (and together with data the CA gathered
probably some more).
>> Does it provide a trace to a real (legal) entity? Yes
> But this is not a binary thing.
Nothing is binary Gerv....
> Can an attacker get an OV certificate
> with a bogus O field? However hard you think that is, it's certainly
> easier to do that for OV than for EV.
It might be harder depending on the CAs policies and practices, it would
and should be harder for EV, but that's it. As you said, it's not binary
and neither total 100%.
But it reduces the risk - it matters if you have to deal with one case
or with thousands.
>> Or the other way around, why don't we just issue code signing
>> certificates to anyone able to validate an email address? Ask Tom.
> Code signing certificates are an entirely different use case, and I
> don't think the comparison is useful.
No, I think the comparison is not bad at all if you think about it. I's
just that for code signing we understand the risk easier and we both
agree on it.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141109/29366f29/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141109/29366f29/attachment-0001.p7s>
More information about the Public
mailing list