Kyle Hamilton wrote: > Even in the case where you require all-EV content, if you try to > perform any additional matching of the Subject (which is what needs to > be matched anyway) you're going to break third-party data feeds and > services. For example, in the aforementioned case, even if Google > were EV'd, what would the chrome look like?
It would display the EV info for the top-level page. > Whose name would be on > it? And if that level of paranoia exists, why isn't there a > preference to disable non-EV content and/or EV content where the > Subject on the cert doesn't match the initial request to the EV site? I don't think we'd go as far as Subject matching. The point about EV is that the owner of the cert is a known legal "physical" entity somewhere. So if we switch to all-EV-required, the attacker would need to get an EV cert to inject content, and they'd have to reveal info about themselves. Switching to all-EV-required doesn't mean we'd have to tell sites not to outsource. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
