Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Jimmy Hess mysidia at gmail.com
Mon Sep 12 02:23:30 UTC 2011

On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow
<morrowc.lists at gmail.com> wrote:

> what's the real benefit of an EV cert? (to the service owner, not the
> CA, the CA benefit is pretty clearly $$)

The benefit is to the end user.
They see a green address bar  with the company's name displayed.

Yeah, company's name displayed -- individuals cannot apply for EVSSL certs.

With normal certs, the end user doesn't see a green address bar, and
instead of the company's
name displayed "(unknown)" is displayed and
"This web site does not supply ownership information."  is displayed.

If you ask me, hiding the company's name even when present on a non-EVSSL
cert is tantamount to saying  "Only EV-SSL certs are really trusted anyways".

So maybe  instead of these shenanigans browser makers should have just
started displaying a "don't trust this site" warning for any non-EVSSL cert.


More information about the NANOG mailing list