Opera defines "high" versus "low" ?

[Ian G]

We never really had a consensus on what "high" and "low"
assurance means, but it seems Opera had an opinion:

http://www.comodogroup.com/news/press_releases/28_02_05.html

"One of the most important measures to counter phishing attacks
is the use of security certificates," said Christen Krogh,
Opera's Vice President of Engineering, in connection with
Opera's latest Beta release. "The challenge for browser
vendors is to better explain the verification of certificates
and to make the user more aware of this additional verification
before entering into secure transactions."

www.mybank.com MyBank Corp(US) High Assurance SSL

www.mybankbilling.com www.mybankbilling.com(US) Low Assurance SSL

It's an opinion!

iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/

[sdavidson]

Opera, however, has not had a security policy governing how CA roots are
selected for distribution in the browser. You pays your money, you gets
your root in.

[Ian G]

Yes, it will be interesting to see if other browsers
follow the lead of Mozilla, if/when the policy ever
gets to a formal status.

How much does Opera charge?

[Duane]

Ian G wrote:

> How much does Opera charge?

I heard figures of anywhere between $150k and $300k depending who was
telling the story, although we have never had any replies from Opera on
this, or anything else for that matter...

--

Best regards,
Duane

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://happysnapper.com.au - Sell your photos over the net!
http://e164.org - Using Enum.164 to interconnect asterisk servers

"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."

[Ram A M]

Moz folks, do you think this warrants a similar strategy?

Putting the full authenticated information (subjectDN and maybe also
the SAN.domainName) in the safe UI area leverages this by puts the onus
on the CA to be clear about what is validated [I don't think I've seen
unauthenticated information in subjectDNs though sometimes there is
clutter].

[Ian G]

Duane wrote:

> I heard figures of anywhere between $150k and $300k depending who was
> telling the story, although we have never had any replies from Opera on
> this, or anything else for that matter...

Wow. Someone told me it was more like $8k upfront and
an annual charge of $2.5k. I guess they charge what
they like to who they like :)

[Ram A M]

I've heard of numbers that high in the past (not for Opera
specifically). According to Microsoft's website "Microsoft does not
currently charge for the Root Certificate Program."

As I understandit MF doesn't charge though Netscape did and perhaps
Microsoft used to. I couldn't find any indication in Opera's KB nor
forums as to what their policy is nor if their is a cost. I did find
some disclaimers along the lines of:

we include some common roots but it is your responsibility to deteremin
if you trust them or any site they issue a credential to as they may be
bad businessmen or may have beel fooled

[Jean-Marc Desperrier]

Ram A M wrote:
> As I understandit MF doesn't charge though Netscape did and perhaps
> Microsoft used to.

It used to be free with no special requirements in the Microsoft case.

[Ian G]

Ram A M wrote:

> some disclaimers along the lines of:
>
> we include some common roots but it is your responsibility to deteremin
> if you trust them or any site they issue a credential to as they may be
> bad businessmen or may have beel fooled

Can't say there's anything wrong with that! Basically
a very realistic and honest statement.

Unless of course they hide the domain and CA so users
can't do the due diligence themselves... in which case
they are basically indicating that the system doesn't
do more than provide clothing for the emporer.

It sits oddly with their charging. If I was them I'd
state that the fees were for covering costs only.

[Peter Gutmann]

Jean-Marc Desperrier <jmd...@alussinan.org> writes:

Only during the MSIE 4 free-for-all. Since then it's still free, but you have
to pass a SAS 70 audit, which typically costs about $0.5M. That's why some
companies have gone down the path of buying up an existing CA with their cert
already in there (or at least buying the CA's private keys).

Peter.

[Jean-Marc Desperrier]

Peter Gutmann wrote:

> Jean-Marc Desperrier <jmd...@alussinan.org> writes:
>>It used to be free with no special requirements in the Microsoft case.
>
> Only during the MSIE 4 free-for-all.

At leats up until MSIE 5.01.

> Since then it's still free, but you have
> to pass a SAS 70 audit, which typically costs about $0.5M.

And it's very hard for a small player to make enough profit to
rentabilize that kind of amount.

That make me think, and I'd like to point it out to MF, that Microsoft
had no remorse about removing from the list the CAs that did not comply
with the new criterium.
This is a precedent for a clean up of Mozilla's CA list.

[Frank Hecker]

Jean-Marc Desperrier wrote:
> That make me think, and I'd like to point it out to MF, that Microsoft
> had no remorse about removing from the list the CAs that did not comply
> with the new criterium.
> This is a precedent for a clean up of Mozilla's CA list.

I've gone on record several times that once we have an official MF
policy we should go back and look at the current CA list in light of
that policy. The main problem (at least for me) is likely going to be
finding the time to do that.

Frank

--
Frank Hecker
hec...@hecker.org