Nelson B Bolyard wrote: > How does the user > a) know that some content is the responsibility of a different entity than > the one identified by Larry, and > b) find the identity of the entity responsible for that other content?
They don't, because any UI which attempted to display all the information necessary for a moderately-complex website would be IMO unusable. You are putting your trust in Foo Bank (and you know you are talking to Foo Bank because it's EV). Foo Bank is trusting Google Analytics. They are also trusting a load of other people to whom they outsource backend operations, who you will never know about or meet. If they are a sensible bank, both types of outsourcing will have received equivalent security review. Given that, why is it more important to know that they outsource analytics to Google Analytics than it is to know that they outsource IT to Accenture? >> So if we switch to all-EV-required, the attacker would need to get an EV >> cert to inject content, and they'd have to reveal info about themselves. > > Info that, I believe, would not be readily available for its intended > purposes. There's a line to walk here. We need to make sure that the information isn't discarded immediately. But then it only takes one person to have retained it for the fraudster to be tracked down when the fraud is discovered. There's no need for it to be in the primary UI of every visitor - and in fact, we couldn't put everything that's needed (e.g. address) in primary UI anyway. We need to stash a copy of the cert somewhere. > I think it's possible to solve the problems I described, that is, to > provides methods to accomplish a and b above, and I believe that doing > so is a necessary part of providing all-EV-required if you allow mixed > subject names. How would you do it? Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
