| Regarding the options listed, I would agree with the first 2 but disagree with the third. My characterization of this situation is as follows: 1. Trust is not granted to everyone. This is true in virtual realms as well as the real world. For example, not everyone in this forum trusts me (and perhaps shouldn't). 2. Bad actors will resort to trickery, lies, and deception to get what they want and sometimes they will be successful despite every effort to stop them. 3. The onus is on CA's to prove that "additional validation" equals "more trustworthy". Their failure to do so will lead to the demise of EV. Security can be viewed as a series of AND's that must be satisfied in order to conclude "you are probably secure". For example, when you browse to an important website, make sure that "https" is used AND that the domain name looks right AND that a "lock icon" appears in the UI AND, if the site uses EV certs, that the name of the organization seems correct. Failing any of those, stop immediately; if all of them hold true, you are probably fine. As the token bad guy in this forum, I have to make all of those steps happen if I expect to trick my victims. If I bother to get an EV cert but the name wildly mismatches for my particular objective, there's an increased chance my efforts at deception will fail. If any of those steps are taken away, my job is that much easier.
...
> In my opinion, this is just a rehash of the same debate we've been having over misleading information in certificates ever since James obtained the "Identity Verified" EV certificate. The options we have to address this seem to be: 1. Accept that some entities, based on somewhat arbitrary rules and decisions, can't get OV or EV certs 2. Accept that the organization information in certificates will sometimes be misleading or at least uninformative 3. Decide that organization information in certificates is irrelevant and ignore it, or get rid of it We currently have chosen "some parts of all of the above" :-) I am most interested in exploring the first option since that is the direction CAs are headed with the recent proposal to limit EV certificates to organizations that have existed for more than 18 months [1]. As long as anyone can obtain a DV certificate, are restrictions on who can obtain an OV or EV certificate a problem, and if so, why? | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
