On 06/12/2018 21:16, Viktor Dukhovni wrote:
On Dec 6, 2018, at 3:06 PM, Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx> wrote: So, a CA that's supposed to validate its customer before issuing a certificate, may do a "more sloppy job" if he doesn't cough up some extra money. I think Peter is exactly right here. CA either do their job, or they don't. If they agree to certify a set of attributes, they ought to verify each one of them.
No, Uri you get it wrong. Different levels of certainty is the point. Consider it like this: DV: A regular printed business card that you can get from a vending machine, proves very little. The CA just checks that the person or robot requesting the certificate has some semblance of control over the domain name at the time of issuance. Price is as low as $0. OV: A debit card with the supposed owners name on it, available from a number of companies that do minimal checking, but still a better ID proof than a business card. The CA must check that the company name and address are true, using some basic steps such as checking that a company by that name exists at that address and confirms they are the ones requesting the certificate. There is no check that the company name is an official name or that the company has a business license etc. A traditional lemonade stand run by children can potentially get an OV certificate if they stay in one place for the time it takes to get the certificate. (A CA agent visiting the company site is enough checking of company existence for OV). EV: A proper photo ID with serious identity checking before being issued, like a government passport. Includes the holders legal name and government ID number (literally), which can be used to look up the subjects legal status. The CA must check public records, and do some hard checks that the request is officially from that company. There is a 50+ pages official specification listing how every tidbit of this information must be checked. The CA cannot limit its own liability for certain failures to less than $2000. Each step up the ladder gives the user more certainty the person/website is who it says it is, but is more expensive and difficult to obtain for the person/website. Each step also costs more money for the CA to check, because there is more work to do. The "make it look green" and "fights crime" slogans were just the old marketing campaign, repeated endlessly as a more efficient sales pressure than the real explanation.
While the point of EV was that it certified a binding to a (domain + business name) rather than just a domain with DV, it turned out that displaying the business name was also subject to abuse, and the security gain proved elusive. https://www.troyhunt.com/extended-validation-certificates-are-dead/
A traveling salesman for a cloud provider. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users