[cabfpub] DV/OV UI

Gervase Markham gerv at mozilla.org
Tue Nov 11 13:51:15 UTC 2014

On 10/11/14 22:19, Dean Coclin wrote:
> Gerv wrote:
> "Can an attacker get an OV certificate with a bogus O field? However hard
> you think that is, it's certainly easier to do that for OV than for EV."
> And it's much, much easier for an attacker to get a DV certificate.

Yes; but not one with bogus fields in it, one would hope!

> 1. Roughly 1/3 of e-commerce websites use DV certificates
> 2. DV certificates are more likely to be used by cybercriminals for
> e-commerce fraud (see #4)

They are also more likely to be used by ecommerce websites, as you note
in point 1 :-)

> 3. 25,000 suspected phishing sites were using SSL in the year leading up to
> March 2014

Remind me: are certificates about identity, or trustworthiness?

I think the CAB Forum would be on a rather sticky wicket (to use a
British expression) with respect to anti-trust if we tried to ban the
sale of DV for e-commerce (or any other application).


More information about the Public mailing list