[cabfpub] downgrade DV UI RE: OIDs for DV and OV

Eddy Nigg eddy_nigg at startcom.org
Sun Nov 9 09:41:49 UTC 2014

On 11/07/2014 11:49 AM, Gervase Markham wrote:
> On 07/11/14 09:44, Eddy Nigg wrote:
>> Does it reduce risk of intentional abuse? Yes
> You need to be more specific on how you think it reduces the risk.

The subscriber knows that the CA has XYZ details about it, probably 
entered a formal agreement and the personal or entity details are 
displayed in the certificate. Even if he/she wouldn't care, a relying 
party could use this data (and together with data the CA gathered 
probably some more).

>> Does it provide a trace to a real (legal) entity? Yes
> But this is not a binary thing.

Nothing is binary Gerv....

> Can an attacker get an OV certificate
> with a bogus O field? However hard you think that is, it's certainly
> easier to do that for OV than for EV.

It might be harder depending on the CAs policies and practices, it would 
and should be harder for EV, but that's it. As you said, it's not binary 
and neither total 100%.

But it reduces the risk - it matters if you have to deal with one case 
or with thousands.

>> Or the other way around, why don't we just issue code signing
>> certificates to anyone able to validate an email address? Ask Tom.
> Code signing certificates are an entirely different use case, and I
> don't think the comparison is useful.

No, I think the comparison is not bad at all if you think about it. I's 
just that for code signing we understand the risk easier and we both 
agree on it.

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141109/29366f29/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141109/29366f29/attachment-0001.p7s>

More information about the Public mailing list