Eddy Nigg wrote: > Gervase Markham: >> >> Exactly my point. If the CA's DNS is secure, the EV system is safe. If >> it's not, it's not. So the two are linked, and they shouldn't be. > > I think you meant DV, not EV here...
No, I mean EV, because the security of EV depends on the security of DV if browsers don't throw a warning for mixed EV/DV content. > However with EV (and other validated certificates) it's highly unlikely > that the subscriber would even attempt to get a certificate for a domain > over which he shouldn't have any control. > > In any case SSL certificates are here to protect against DNS > vulnerabilities and not as you stated. Once they are correctly issued, they indeed protect against this. My point is that an attacker can cause them to be incorrectly issued. > For example Google Analitics is JavaScript code. In that > code - or any other code included by a third party, it would be fairly > easy to snoop for credit card and other details... If you are suggesting that we modify the EV standard in a way which makes it impossible for companies to outsource web analytics, I will suggest you are not living in the real world. :-) Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
