On Wednesday, December 13, 2017 at 3:42:38 PM UTC-6, Ryan Sleevi wrote: > > Would Ian have requested a certificate for Stripe, Inc. if his full name > > were also in that certificate? Maybe, maybe not. But anyone investigating > > that certificate would need do no extra work to know what individual they > > should start communicating with to further discern the history and use of > > that certificate and the associated entity. > > > There are a number of problems with this, although I appreciate the > suggestion. > > Governance is not something easily spitballed. I've tried to highlight the > WIPO process as one example of showing how complex such deliberations can > be, especially in an international/transnational situation. I think, for > this specific proposal, you might look at resources such as > https://www.eff.org/issues/icann to see that many of these proposals you're > discussing have profound policy impact on Internet governance. > Alternatively, you may find > https://www.techdirt.com/articles/20150623/17321931439/icanns-war-whois-privacy.shtml > useful discussion > > I realize I'm doing a poor job at articulating the profound risks, perhaps > because they're best not for e-mail discussions, but these problems are not > unique to EV, and the solutions are unquestionably worse (for freedom and > privacy). It is in this holistic understanding - including regulatory risks > of mandatory EV and the like - that it's clear that EV isn't "just" > something a site opts into - it has a non-trivial, detrimental affect on > users day to day browsing, on the way in which the Internet is maintained, > in efforts to secure it, and to the underlying privacy and security. This > isn't hyperbole - this is something I think most browsers are profoundly > aware of.
I think you've done an excellent job of specifically pointing to other risks and concerns. In this last paragraph, however, it seems you've alluded to non-specific others of even graver consequence and followed up neatly with what feels like a "just trust me on this one." Well, maybe we should, but... it's just inconsistent. I'm at a bit of a loss on this particular matter. I don't see how a privacy implication arises. Or intellectual property for that matter. I certainly don't see even the proximal nexus to internet governance. I propose no change to how an authorized individual for engagement on behalf of the entity requesting EV issuance is identified with respect to the relationship and delegation between the business and the individual. I do propose that the individual have to be strongly identified individually and that the individually directly become contractually obliged to the CA. Speaking of Internet governance, by funny coincidence, gives an example of such policies. For certain matters, ARIN requires a notarized affidavit of identity and assertions as to relationship with a certain business, etc, etc. This concept is not novel. EV certificates are exclusively a business or organization matter. The validation process for EV already identifies an authorized party for directing issuance. Update the standards to require that said individual be willing to be identified in the certificate as well as identified as to the jurisdiction in which his identity validation occurred. Require that the CA engage into a contractual relationship with that individual with specifies unpalatable consequences for the individual if misrepresentations are made. This creates a liability that has a cash value that can interest "ambulance chasers" as well as law enforcement -- who generally need to have a dollar figure value of harm in order to pursue a case which hinges on the financial. No one's privacy is being improperly compromised. We all give up some of our individual privacy in day to day corporate activities attendant to our jobs. If part of our role involves interfacing with external entities like CAs, and making representations on behalf of the business, we are already exposed. No one is twisting the business or individual to comply. There's this benefit of getting an EV certificate available to them if and only if they comply with the requirements. Those entities who don't have even one face willing to stand behind the request publicly should not have EV certificates available to them. One would want such an organization to achieve less trust than one with a face. Ensuring that the CA can supply appropriate authorities with documentation pointing to the individual who requested this certificate and the contact points at which they previously validated that person makes the leap from certificate to a person with direct nexus to the certificate's request and subsequent issuance easy. That would greatly dissuade people with bad intent from acquiring EV certificates. For those who proceed regardless, it makes it far more likely that the individual(s) responsible for subsequent bad actions can be found [and tortured] appropriately. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
