On Thu, Aug 21, 2008 at 10:24 AM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: > > I was informed privately that it means that Firefox shows EV chrome > indicators, even for pages that contain some DV content.
Er, if this didn't happen, PayPal wouldn't be able to show chrome indicators. Among other things, they use Google Analytics. I think it would be a perfectly valid thing to refuse to form-submit to a location that isn't under the same EV Subject as the originating form, but if you strip the chrome from things that have some non-EV services you're going to break things. >>> And further vulnerabilities of this sort would reopen the same hole. >>> >>> In other words, the security of EV currently depends on the security of >>> the DNS. This is bad. > > I agree that DV content in EV pages is just as dubious as any other DV > content. I would favor that EV pages must have all EV content to show EV > chrome, just as SSL pages must have all SSL content to show (normal) SSL > chrome. Even in the case where you require all-EV content, if you try to perform any additional matching of the Subject (which is what needs to be matched anyway) you're going to break third-party data feeds and services. For example, in the aforementioned case, even if Google were EV'd, what would the chrome look like? Whose name would be on it? And if that level of paranoia exists, why isn't there a preference to disable non-EV content and/or EV content where the Subject on the cert doesn't match the initial request to the EV site? -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
