My view: Anything that comes from an EV-validated site should be viewed as being approved by that EV-validated site. Regardless of the actual company, domain, or even certificate Subject providing any part of the connection, the initial (root) page is the one that has the EV associated with it -- everything that the EV site redirects to or includes from should be assumed to be doing so under the authority of the EV site owner.
The details of the contracts are very unimportant to the end-user. The EV site is bound by its own privacy policy, and it's bound to ensure contractually that every site that it delegates to, every business that it delegates any function to, adheres to a minimum standard described by and defined by its privacy policy. The only real way to enforce this would be through a legal action, which is also the only real way to enforce any kind of breach of contract. (In the event of a bank or PayPal delegating improperly to a third party, it would then be a criminal complaint for violation of fiduciary duty.) I don't believe that requiring EV on /every/ connection is useful or desirable. Only enough to ensure that the initial location where the redirect happens from is, in fact, the place responsible for the redirect. Once the chrome goes away, that entity is no longer responsible -- but until it does, that entity /is/ responsible. I agree with Gerv: preventing companies from outsourcing web analytics (or anything else) runs counter to everything that has allowed service provision to be a valid business model in the web that's been woven. -Kyle H On Mon, Aug 25, 2008 at 3:32 AM, Gervase Markham <[EMAIL PROTECTED]> wrote: > Eddy Nigg wrote: >> Gervase Markham: >>> >>> Exactly my point. If the CA's DNS is secure, the EV system is safe. If >>> it's not, it's not. So the two are linked, and they shouldn't be. >> >> I think you meant DV, not EV here... > > No, I mean EV, because the security of EV depends on the security of DV > if browsers don't throw a warning for mixed EV/DV content. > >> However with EV (and other validated certificates) it's highly unlikely >> that the subscriber would even attempt to get a certificate for a domain >> over which he shouldn't have any control. >> >> In any case SSL certificates are here to protect against DNS >> vulnerabilities and not as you stated. > > Once they are correctly issued, they indeed protect against this. My > point is that an attacker can cause them to be incorrectly issued. > >> For example Google Analitics is JavaScript code. In that >> code - or any other code included by a third party, it would be fairly >> easy to snoop for credit card and other details... > > If you are suggesting that we modify the EV standard in a way which > makes it impossible for companies to outsource web analytics, I will > suggest you are not living in the real world. :-) > > Gerv > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
