[cabfpub] DV/OV UI

Tim Hollebeek THollebeek at trustwave.com
Tue Nov 11 14:13:35 UTC 2014

No, enforcing reasonable minimum security standards across an industry segment is not an anti-trust violation.  X9F, for example, has similar anti-trust rules, but still manages to publish standards for minimum security requirements for payment cards, etc.  I see no reason why the CAB forum and e-commerce is different in this regard.

For example, X9F4 is currently writing a standard on minimum security standards for debit authentication for e-commerce and banking.  That's very similar, and not an anti-trust violation.

Unfortunately, I have not seen much interest from the browser community in protecting payment card authentication information, and that saddens me.  I haven't checked the state of things recently, but way too many browsers are willing to (for example) save CVV numbers, auto-fill forms with them, and sync them to other devices, unless the e-commerce page explicitly goes out of its way to say "don't store this" (which most don't).

I would have to ponder the implications more, but moving all e-commerce payment authentication to EV over time is an idea worth considering.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Tuesday, November 11, 2014 8:51 AM
To: Dean Coclin; Eddy Nigg; CABFPub
Subject: Re: [cabfpub] DV/OV UI

On 10/11/14 22:19, Dean Coclin wrote:
> Gerv wrote:
> "Can an attacker get an OV certificate with a bogus O field? However
> hard you think that is, it's certainly easier to do that for OV than for EV."
> And it's much, much easier for an attacker to get a DV certificate.

Yes; but not one with bogus fields in it, one would hope!

> 1. Roughly 1/3 of e-commerce websites use DV certificates 2. DV
> certificates are more likely to be used by cybercriminals for
> e-commerce fraud (see #4)

They are also more likely to be used by ecommerce websites, as you note in point 1 :-)

> 3. 25,000 suspected phishing sites were using SSL in the year leading
> up to March 2014

Remind me: are certificates about identity, or trustworthiness?

I think the CAB Forum would be on a rather sticky wicket (to use a British expression) with respect to anti-trust if we tried to ban the sale of DV for e-commerce (or any other application).

Public mailing list
Public at cabforum.org


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

More information about the Public mailing list