[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-tls
Subject:    RE: [TLS] Including Cert. Practice Statement in issued SSL
From:       <Pasi.Eronen () nokia ! com>
Date:       2008-01-04 11:21:26
Message-ID: B356D8F434D20B40A8CEDAEC305A1F240511912F () esebe105 ! NOE ! Nokia ! com
[Download RAW message or body]

David P. Kemp wrote:

> The fact that policies are useless in general does not
> contradict the fact that the point of the extension is to
> convey useful information.  *IF* there were standardized
> policies that 100+ trust anchors followed (e.g., Policy A =
> in-person registration with 2 forms of ID and private key
> on a hardware token, Policy B = software cert issued to
> anyone with an email account), then the extension would
> be useful.  

Isn't this basically what the "Extended validation certificates" 
work is about? (standardizing a consistent policy to be followed
by large number of CAs, and having the browser to display something 
different if that policy was used)

(Although some folks have questioned how much this will
actually prevent phishing, giving the tendency of users to
ignore security-related browser warnings etc. Any conference
about security and usability probably has papers about this.)

Best regards,
Pasi


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls



[prev in list] [next in list] [prev in thread] [next in thread]