[cabfpub] DV/OV UI
gerv at mozilla.org
Tue Nov 11 06:51:15 MST 2014
On 10/11/14 22:19, Dean Coclin wrote:
> Gerv wrote:
> "Can an attacker get an OV certificate with a bogus O field? However hard
> you think that is, it's certainly easier to do that for OV than for EV."
> And it's much, much easier for an attacker to get a DV certificate.
Yes; but not one with bogus fields in it, one would hope!
> 1. Roughly 1/3 of e-commerce websites use DV certificates
> 2. DV certificates are more likely to be used by cybercriminals for
> e-commerce fraud (see #4)
They are also more likely to be used by ecommerce websites, as you note
in point 1 :-)
> 3. 25,000 suspected phishing sites were using SSL in the year leading up to
> March 2014
Remind me: are certificates about identity, or trustworthiness?
I think the CAB Forum would be on a rather sticky wicket (to use a
British expression) with respect to anti-trust if we tried to ban the
sale of DV for e-commerce (or any other application).
More information about the Public