While at the CA/Browser Forum I was asked by a friend if we wanted to replace EV with a new class of certificate what would that certificate look like?
My response was that I would frame the question differently. The “real” question is what problems does a typical user have that a third-party with the strengths of a CA could help with?
With this in mind, you need to first understand who this stereotypical user is, a software engineer may have different needs than a grocery store clerk. They may also have common needs, you won’t know that until you do research.
The only way to do reliable research on this topic is to actually work with those users to understand what their needs are. While this is much harder than it sounds due to biases introduced in such processes a real needs analysis requires that you start here.
With that said, I suspect this exercise would show a broad swath of the target users is concerned with these questions:
- Will I have a good experience working with the people behind the website?
- Do the people behind this website have a good reputation?
- Are the people behind this website experts in their craft?
- How do I figure out how to reach a real human when and if I need to?
I would put those concerns into the context of the interaction they will have with the website (buying a product, downloading software, etc).
With that understanding I would then try to understand what the strengths of the CA are, having been a CA for a long time I would say:
CAs are good at verifying claims relating to the subject of a certificate.
I would then try to map the identified problems and strengths together to see what potential value the CA could provide that user.
Again the right thing to do is formally do those above explorations but for the purpose of this post I suspect these exercises would find that:
- When a user visits a website they may struggle to find out how to contact the sales/support for that business,
- When a user visits a site for the first time it may be hard for them to determine what the companies true line of business is,
- After a user previously visited a website and completed a transaction with it they sometimes need to contact that business after the fact and could be assisted in finding the right contact information,
- Before deciding to do a high-value transaction with a business, customers may want to find out the experience others have had with that business.
Now, just because a user may have these problems and a CA may be able to help solve them, it does not mean the SSL indicator is the right place to help answer these questions. It just means that there is a problem and skills intersection.
When, and how to solve this problem is another exercise altogether. Let’s explore EV for a second to give that some context.
Today if we assume the information in an EV certificate is correct (and not confusing see: this and this for context) we can say it provides the answer to “if I need to sue these people where do I tell my lawyer they are at?”.
The problem with that is that you may not have that information when you need it. I say this because you typically need to sue someone after you completed a transaction with them not before. After the fact, you have no assurance that this information in the certificate will be available at the site you did the transaction with. The website may have gone away, they could have changed their certificate, or could some other change may have taken place that makes that information not readily available to you when you need it.
In any event, the point of this post is to say CAs should not be asking what they can put into certificates but what problems users have that CAs are well suited to solve. Unless they start there they will not be solving a real problem, they will just be bolting more things onto a certificate and asking why browsers and users don’t users see value in it.
Will CT help with “if I need to sue these people where do I tell my lawyer they are at?” As you state, “The problem with that is that you will not have that information when you need it.” With CT, you may have the information, when you need it.
It does help some, you now have a list of all certificates browsers would have trusted during their validity period for a domain. This means you can go looking through all of them in an attempt to guess which one might have been used.
Great post. It really helps clarify where CAs ought to go to help secure users i.e. EV certificates are not enough. Information such the mentioned line of business can be gathered from 10-K, and with some collaboration site reputation information is also feasible.
Pingback: SSL Review: May and June 2018 | Entrust Datacard