On 06/12/2018 11:48, Michael Ströder wrote:
On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
On 05/12/2018 17:59, Viktor Dukhovni wrote:
IIRC Apple's Safari is ending support for EV, and some say that EV
has failed, and are not sorry to see it go.
This is very bad for security. So far the only real failures have
been:
1. Some cloud provider(s) actively want to reduce all TLS security to
the anonymous form provided by Let's encrypt, and are doing their worst
to sabotage EV providing CAs.
Quoting from Peter Gutmann's "Engineering Security",
section "EV Certificates: PKI-me-Harder"
Indeed, cynics would say that this was exactly the problem that
certificates and CAs were supposed to solve in the first place, and
that “high-assurance” certificates are just a way of charging a
second time for an existing service.
I fully agree with the above and I'm also for removing this crap from
the browser UI.
Peter Gutman, for all his talents, dislikes PKI with a vengeance.
EV is a standard for OV certificates done right. Which involves more
thorough identity checks, stricter rules for the CAs to follow etc.
The real point of EV certificates is to separate CAs that do a good
job from those that do a more sloppy job, without completely distrusting
the mediocre CA operations.
Due to market forces, the good CAs also offer the weaker certificate
types at a lower price to compete with the mediocre CAs that are aren't
good/thorough enough to do the full job.
The way EV certs are highlighted in Browsers (Green bar etc.) was a way
to create market demand for the higher quality. They could be indicated
in some other useful way of cause, but the distinguishment between "The
CA did something to check the name and real world address in the
certificate" (OV) versus "The CA checked the name and and real world
address thoroughly in accordance with the higher quality standard" (EV)
is still of some significance.
If you look at that long list of CA roots preinstalled in a typical
browser, only a minority are authorized, trusted and audited to issue
to the higher EV standard.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users