Gervase Markham wrote, On 2008-08-22 02:17: > I don't think we'd go as far as Subject matching. The point about EV is > that the owner of the cert is a known legal "physical" entity somewhere.
AND that an identifier of that legal entity is easily available to the user so that the user can make use of it in decisions, and taking subsequent action, if necessary. The identity is not of much value if the user can't easily see it. How does the user a) know that some content is the responsibility of a different entity than the one identified by Larry, and b) find the identity of the entity responsible for that other content? > So if we switch to all-EV-required, the attacker would need to get an EV > cert to inject content, and they'd have to reveal info about themselves. Info that, I believe, would not be readily available for its intended purposes. > Switching to all-EV-required doesn't mean we'd have to tell sites not to > outsource. I think it's possible to solve the problems I described, that is, to provides methods to accomplish a and b above, and I believe that doing so is a necessary part of providing all-EV-required if you allow mixed subject names. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto