On Wednesday, December 13, 2017 at 2:46:10 PM UTC-6, Gervase Markham wrote:
> My concern with this argument is that it's susceptible to the criticism > that Adam Langley made of revocation checking: > https://www.imperialviolet.org/2012/02/05/crlsets.html > > "So [EV identity is] like a seat-belt that snaps when you crash. Even > though it works 99% of the time, it's worthless because it only works > when you don't need it." This aspect considers only the potential downsides of improper trust and confidence in the users' mind given improper use of a look-alike certificate leading to a phishing exploit or similar. There is a benefit of EV certificates that deserves consideration: There are events, many per day, in which the additional confidence to engage in commerce with a given website is properly enhanced by the user's examination and assessment of the EV presentation. Any such instance is a tangible benefit, deserving -- I believe -- some weight in the discussion even if there were the rare negative outcome. This is even more the case if there are mitigations to the EV definition, qualifications, validation process, issuance process, etc, which could help. Just spitballing, one enhancement to the EV issuance might be to require that upon validation, the proposed EV entity name and jurisdiction name proposed to be included in the certificate have a 30 days publish-for-opposition embargo. It would arise each time a new EV validation is performed, including for EV validation renewals. Further certificates could issue or re-issue within the validation life time. A natural service that would arise from this would be that CAs would presumably police this publish-for-opposition database for their own customers' EV names and name-a-likes, working with their existing customer to object to and stop issuance of the (presumed) phishing certificate request. Another thing that should not be problematic for legitimate businesses -- even gigantic ones -- is to require that EV certificate qualification and validation process identify a strongly identified individual (government photo ID, etc) be explicitly authorized by the applying entity as authorized to request EV certificates for the entity -- and furthermore -- document within the certificate the name, jurisdiction, and nature of documents verifying that person's identification. Would Ian have requested a certificate for Stripe, Inc. if his full name were also in that certificate? Maybe, maybe not. But anyone investigating that certificate would need do no extra work to know what individual they should start communicating with to further discern the history and use of that certificate and the associated entity. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
