On Wed, Dec 13, 2017 at 6:23 PM, Matthew Hardeman via dev-security-policy < [email protected]> wrote:
> > I realize I'm doing a poor job at articulating the profound risks, > perhaps > > because they're best not for e-mail discussions, but these problems are > not > > unique to EV, and the solutions are unquestionably worse (for freedom and > > privacy). It is in this holistic understanding - including regulatory > risks > > of mandatory EV and the like - that it's clear that EV isn't "just" > > something a site opts into - it has a non-trivial, detrimental affect on > > users day to day browsing, on the way in which the Internet is > maintained, > > in efforts to secure it, and to the underlying privacy and security. This > > isn't hyperbole - this is something I think most browsers are profoundly > > aware of. > > I think you've done an excellent job of specifically pointing to other > risks and concerns. In this last paragraph, however, it seems you've > alluded to non-specific others of even graver consequence and followed up > neatly with what feels like a "just trust me on this one." Well, maybe we > should, but... it's just inconsistent. > That's certainly not my intent. Rather, I'm trying to highlight that your 'simple' solution is really not quite simple, and the nuances and political implications of that are non-trivial. Further, trying to capture all of that nuanced conversation in an email thread, particularly when some parties actively profit from exploiting misinterpretations, is not an ideal medium. I tried to provide related links so that you can read and understand how, in other contexts of governance and security, such arguments have been captured, and some of the non-obvious, significant implications of them. I think most browsers are aware of that nuance because it's an existential awareness about the role they play in the security of users, and trying to capture all of the carefully considered philosophy and security in an email thread is, well, not exactly productive either. > EV certificates are exclusively a business or organization matter. No, they aren't. That's the thing - for a number of reasons, they aren't. Or more aptly, "business or organization" themselves are not neat and compact things, nor is it safe to presume that what is true today is true tomorrow. > The validation process for EV already identifies an authorized party for > directing issuance. Update the standards to require that said individual > be willing to be identified in the certificate as well as identified as to > the jurisdiction in which his identity validation occurred. Require that > the CA engage into a contractual relationship with that individual with > specifies unpalatable consequences for the individual if misrepresentations > are made. This creates a liability that has a cash value that can interest > "ambulance chasers" as well as law enforcement -- who generally need to > have a dollar figure value of harm in order to pursue a case which hinges > on the financial. > I'm trying to be respectful, but I think this regard of law enforcement does not hold up with how the Internet works, nor how the real world works, nor how financial risk works. I realize this again sounds like "trust me", because it's hard to point out the experiences day to day of people dealing with this, or to highlight the many flaws and abuses. And even then, I don't think it's necessarily a reasonable goal to expect you to be convinced - those who understand recognize it as such. > No one's privacy is being improperly compromised. We all give up some of > our individual privacy in day to day corporate activities attendant to our > jobs. If part of our role involves interfacing with external entities like > CAs, and making representations on behalf of the business, we are already > exposed. > No one is twisting the business or individual to comply. There's this > benefit of getting an EV certificate available to them if and only if they > comply with the requirements. > This is not true. CAs tried to get PCI-DSS to require this for accepting credit cards online. And naively, we might say, "That sounds good, I'm sure that would prevent fraud" - but it also promotes and enables abuse. Or we can look at several governments trying to require - whether at a government level, at a 'doing business with government', or a 'doing any business with our citizens' level, attempts to mandate EV - which precludes a number of participants from engaging in online secure transactions or communications. There's even been attempts to require "If you're within our jurisdiction, you MUST use an EV cert" - which is balderdash! I encourage you to revisit the resources I linked you to, spend an afternoon reading them. The discussions around ICANN, RDAP, and WHOIS privacy are very insightful in understanding the tradeoffs to privacy. Legislation such as eIDAS, particularly if you can find counsel to walk you through and explain the nuance that non-legally-trained professionals may miss, is also illustrative. Looking at WIPO policies and precedent are similarly beneficial. But we must also, ultimately, circle back on the fact that none of that discussion above *matters* for this discussion. It's redirecting the conversation topic to something different, something that *is* a simpler question - which is understanding what value, if any, the UI provides. I don't think its' worth continuing to discuss your proposals without recognizing agreement on that basic discussion. Nor do I think it's valuable to discuss the validation changes without understanding and appreciating the fundamental technical flaws with EV. If that validation information is to be useful, if it's valuable, it's not because it's for a billion users. It's because you want it available to law enforcement or investigation - and there are far better ways to do that. Let's stop trying to fit a square block in a round hole. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
