On Wed, Dec 13, 2017 at 4:28 PM, Matthew Hardeman via dev-security-policy < [email protected]> wrote:
> On Wednesday, December 13, 2017 at 2:46:10 PM UTC-6, Gervase Markham wrote: > > > My concern with this argument is that it's susceptible to the criticism > > that Adam Langley made of revocation checking: > > https://www.imperialviolet.org/2012/02/05/crlsets.html > > > > "So [EV identity is] like a seat-belt that snaps when you crash. Even > > though it works 99% of the time, it's worthless because it only works > > when you don't need it." > > This aspect considers only the potential downsides of improper trust and > confidence in the users' mind given improper use of a look-alike > certificate leading to a phishing exploit or similar. > > There is a benefit of EV certificates that deserves consideration: > > There are events, many per day, in which the additional confidence to > engage in commerce with a given website is properly enhanced by the user's > examination and assessment of the EV presentation. Any such instance is a > tangible benefit, deserving -- I believe -- some weight in the discussion > even if there were the rare negative outcome. > I think the flaw in this argument is that 'properly enhanced' has not been demonstrated. It's quite literally the "works 99% of the time" case being referred to here. Whether or not it's reasonable for the user to rely on that information is rather the key. > Just spitballing, one enhancement to the EV issuance might be to require > that upon validation, the proposed EV entity name and jurisdiction name > proposed to be included in the certificate have a 30 days > publish-for-opposition embargo. It would arise each time a new EV > validation is performed, including for EV validation renewals. Further > certificates could issue or re-issue within the validation life time. A > natural service that would arise from this would be that CAs would > presumably police this publish-for-opposition database for their own > customers' EV names and name-a-likes, working with their existing customer > to object to and stop issuance of the (presumed) phishing certificate > request. > > Another thing that should not be problematic for legitimate businesses -- > even gigantic ones -- is to require that EV certificate qualification and > validation process identify a strongly identified individual (government > photo ID, etc) be explicitly authorized by the applying entity as > authorized to request EV certificates for the entity -- and furthermore -- > document within the certificate the name, jurisdiction, and nature of > documents verifying that person's identification. > > Would Ian have requested a certificate for Stripe, Inc. if his full name > were also in that certificate? Maybe, maybe not. But anyone investigating > that certificate would need do no extra work to know what individual they > should start communicating with to further discern the history and use of > that certificate and the associated entity. There are a number of problems with this, although I appreciate the suggestion. Governance is not something easily spitballed. I've tried to highlight the WIPO process as one example of showing how complex such deliberations can be, especially in an international/transnational situation. I think, for this specific proposal, you might look at resources such as https://www.eff.org/issues/icann to see that many of these proposals you're discussing have profound policy impact on Internet governance. Alternatively, you may find https://www.techdirt.com/articles/20150623/17321931439/icanns-war-whois-privacy.shtml useful discussion I realize I'm doing a poor job at articulating the profound risks, perhaps because they're best not for e-mail discussions, but these problems are not unique to EV, and the solutions are unquestionably worse (for freedom and privacy). It is in this holistic understanding - including regulatory risks of mandatory EV and the like - that it's clear that EV isn't "just" something a site opts into - it has a non-trivial, detrimental affect on users day to day browsing, on the way in which the Internet is maintained, in efforts to secure it, and to the underlying privacy and security. This isn't hyperbole - this is something I think most browsers are profoundly aware of. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
