> > Quoting from Peter Gutmann's "Engineering Security", > > section "EV Certificates: PKI-me-Harder" > > > > Indeed, cynics would say that this was exactly the problem that > > certificates and CAs were supposed to solve in the first place, and > > that “high-assurance” certificates are just a way of charging a > > second time for an existing service. > > Peter Gutman, for all his talents, dislikes PKI with a vengeance. > EV is a standard for OV certificates done right. Which involves more > thorough identity checks, stricter rules for the CAs to follow etc. > > The real point of EV certificates is to separate CAs that do a good > job from those that do a more sloppy job, without completely distrusting > the mediocre CA operations. So, a CA that's supposed to validate its customer before issuing a certificate, may do a "more sloppy job" if he doesn't cough up some extra money. I think Peter is exactly right here. CA either do their job, or they don't. If they agree to certify a set of attributes, they ought to verify each one of them.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
