All that proves is the entire EV model cannot possibly accomplish what CAs claims (with respect to phishing and other similar concerns). To whit:
- Two companies can validly possess trademarks for the same name in the United States (and I assume other jurisdictions) - A CA, or anyone else's ability to tell if the identity collision is being used maliciously to deceive is totally based on seeing what content is being served under that name; the reality of trademark law means that two organizations with the same name is not inherently deceptive - An actually malicious entity will not broadcast their name collision! Instead they'd probably have a benign website that normal users see, and at particular URLs sent to their victims, they'd serve the misleading content. In conclusion, revoking stripe.ian.sh while ignoring the broader issues WRT the limitations of EV's binding of real world corporate identity to domain control is security theater at its worst. Alex On Thu, Apr 12, 2018 at 3:23 PM, Matthew Hardeman via dev-security-policy < [email protected]> wrote: > On Thu, Apr 12, 2018 at 2:20 PM, James Burton <[email protected]> wrote: > > > Both mine and Ian's demonstrations never harmed or deceived anyone as > > they were proof of concept. The EV certs were properly validated to the > > EV guidelines. Both companies are legitimate. So what's the issue? None. > > > > > > > > In as far as that they were revoked, these cases seem to demonstrate that > the CAs wish to vigorously defend the EV "brand" by showing that they can > and will halt problematic uses of those certificates. No problem. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
