Extended validation certificates

Posted Nov 2, 2006 10:17 UTC (Thu) by gyles (subscriber, #1600) [Link]

Posted Nov 4, 2006 0:32 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

There's actually two parts to that: the identification and the authentication. Before you can talk about what proves Bob's social security number, you have have to say what that number is in the first place, and the current system doesn't even do that. It identifies someone by a name alone, and that tells you very little. Is this web site run by THE Bob Smith?

Useful identification could be a SSN or passport number, and it could also include place of residence, occupation, and various other soft things.

As long as Verisign provides the actual identification, it probably doesn't help me a lot to see how Verisign authenticated it. If I don't trust Verisign to authenticate, I really can't trust it to tell me accurately that it did.

The guarantee (insurance) is what really matters. Of course, I would expect and demand to pay for that.

if Bob Smith's website rips you off, you can sue Verisign.

And that's a third thing. Neither the identification nor the authentication tells you that Bob Smith is an honest person; you have no basis to sue. For that, you need a voucher. Verisign says, "never mind who the person is; whoever he is, he's not going to defraud you." To protect itself, Verisign would want to ascertain the person's identity, plus probably get references or a bond or such.

For a web site, a voucher would probably be much more useful than a signature guarantee.