Gervase Markham: > Eddy Nigg wrote: >> Gervase Markham: >>> Exactly my point. If the CA's DNS is secure, the EV system is safe. If >>> it's not, it's not. So the two are linked, and they shouldn't be. >> I think you meant DV, not EV here... > > No, I mean EV, because the security of EV depends on the security of DV > if browsers don't throw a warning for mixed EV/DV content. >
Well yes, EV shouldn't mix with DV... >> In any case SSL certificates are here to protect against DNS >> vulnerabilities and not as you stated. > > Once they are correctly issued, they indeed protect against this. My > point is that an attacker can cause them to be incorrectly issued. I wouldn't state it this way, otherwise we urgently need to modify the Mozilla CA policy! An attacker shouldn't be successful in such an attempt and CAs should have controls in place to detect such attempts. For example self-auditing the certificate issuance process could reveal such an attack (since DNS poisoning or similar must be well coordinated, but doesn't succeed over time). There are other controls and prevention tools, even against unknown vulnerabilities. > > If you are suggesting that we modify the EV standard in a way which > makes it impossible for companies to outsource web analytics, I will > suggest you are not living in the real world. :-) > I'm living in the same world as you do my friend! And yes, I suggest that EV sites shouldn't outsource anything not under their control. That's because the site operator (of an EV site) doesn't have control over outsourced service. How can such an EV site operator guaranty the integrity of the valuable data? He can't and therefore EV shouldn't be mixed with anything. BTW, there are fantastic programs for web statistics and analysis. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
