On 10/31/2014 11:20 AM, Anne van Kesteren wrote:
The document below proposes a generic syntax for unique identification of natural/legal Subjects (see Section 5):On Wed, Oct 29, 2014 at 10:02 PM, Dean Coclin <[email protected]> wrote:But many people do in fact look at the security indicators. If that statement were true, why do fraudsters bother to get SSL certs (mostly DV) for their phishing websites?Given that "Organization" is not a globally unique identifier, it seems they could with some more effort also spoof that field.(Which is why EV seems to actually make things more difficult for users as they have to carefully check the domain, the Organization field, and ensure that neither has changed, each time they visit.)
http://docbox.etsi.org/ESI/Open/Latest_Drafts/prEN_319412-1v006-cert-profiles-common-structures_COMPLETE-draft.pdf Thanks, M.D.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
