It turns out that the CA/Browser Validation working group is currently looking into how to address these issues, in order to tighten up validation in these cases. We discussed it a bit last Thursday, and will be continuing the discussion on the 21st.
If anyone has any good ideas, we'd be more than happy to hear them. -Tim -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+tim.hollebeek=digicert.com@lists.mozilla .org] On Behalf Of Ryan Sleevi via dev-security-policy Sent: Monday, December 11, 2017 12:01 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: On the value of EV Recently, researchers have been looking into the value proposition of EV certificates, and more importantly, how easy it is to obtain certificates that may confuse or mislead users - a purpose that EV is supposedly intended to avoid. James Burton was able to obtain a certificate for "Identity Verified", as described in https://clicktime.symantec.com/a/1/UMvfjhjcKci8WaOicVRiVWm_NzyoAX0Pc2qXQBXjH nE=?d=4GxSxTMvs_XrCwnblzpDidRZeFwt4_CpS4UexlQ_QRYfMXTACGlU9KcLjcIV2AmJ-zJBtL FaDv8U-F04Ie90QpnF8tK-ybyXlpLa2rqOTh9r7oBUmc1owCqd-3508LqFwnMSFygeNRYQQYxQ02 VE4dkt0wPLETCFlfrS7_BHqaxO5w6BikwFhE-nrVLpigRJAQlM14eULh56NL69CQWUVKrPl_t11B ctsMNiFHBfSsJIZQ-82hU2y9cXYXVjjBcvic6aPKW8LtO7NZsXhDeVSSC6deBqC3QcR-K_Rip9Vt yCDvYUoxnv9khLm24jo5M6xium8o1FiYEr5jvgfuRegHNRO1YAs1qwAmURlvecDTXHAOGDfgwKo7 DsjmEeyhtB5pylwlXn6YvgPEnUzvJZqqgb-lNj1M94f08yucGQETp7UZXA19h3qg%3D%3D&u=htt ps%3A%2F%2F0.me.uk%2Fev-phishing%2F , which is a fully valid and legal EV certificate, but which can otherwise confuse users. Today, Ian Carroll disclosed how easy he was able to get a certificate for "Stripe, Inc", registered within the US, and being granted the full EV treatment as the 'legitimate' stripe.com. He's written up the explanation at https://clicktime.symantec.com/a/1/Fahzn1Xee7EnTLqF7kqdnVFVklYxzLF8hiDkGN7kU UM=?d=4GxSxTMvs_XrCwnblzpDidRZeFwt4_CpS4UexlQ_QRYfMXTACGlU9KcLjcIV2AmJ-zJBtL FaDv8U-F04Ie90QpnF8tK-ybyXlpLa2rqOTh9r7oBUmc1owCqd-3508LqFwnMSFygeNRYQQYxQ02 VE4dkt0wPLETCFlfrS7_BHqaxO5w6BikwFhE-nrVLpigRJAQlM14eULh56NL69CQWUVKrPl_t11B ctsMNiFHBfSsJIZQ-82hU2y9cXYXVjjBcvic6aPKW8LtO7NZsXhDeVSSC6deBqC3QcR-K_Rip9Vt yCDvYUoxnv9khLm24jo5M6xium8o1FiYEr5jvgfuRegHNRO1YAs1qwAmURlvecDTXHAOGDfgwKo7 DsjmEeyhtB5pylwlXn6YvgPEnUzvJZqqgb-lNj1M94f08yucGQETp7UZXA19h3qg%3D%3D&u=htt ps%3A%2F%2Fstripe.ian.sh%2F I suppose this is both a question for policy and for Mozilla - given the ability to provide accurate-but-misleading information in EV certificates, and the effect it has on the URL bar (the lone trusted space for security information), has any consideration been given to removing or deprecating EV certificates? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://clicktime.symantec.com/a/1/kDDKlZK0leEPqVUm7AaittNvNX0qYVu4pVG8QnvM6 8E=?d=4GxSxTMvs_XrCwnblzpDidRZeFwt4_CpS4UexlQ_QRYfMXTACGlU9KcLjcIV2AmJ-zJBtL FaDv8U-F04Ie90QpnF8tK-ybyXlpLa2rqOTh9r7oBUmc1owCqd-3508LqFwnMSFygeNRYQQYxQ02 VE4dkt0wPLETCFlfrS7_BHqaxO5w6BikwFhE-nrVLpigRJAQlM14eULh56NL69CQWUVKrPl_t11B ctsMNiFHBfSsJIZQ-82hU2y9cXYXVjjBcvic6aPKW8LtO7NZsXhDeVSSC6deBqC3QcR-K_Rip9Vt yCDvYUoxnv9khLm24jo5M6xium8o1FiYEr5jvgfuRegHNRO1YAs1qwAmURlvecDTXHAOGDfgwKo7 DsjmEeyhtB5pylwlXn6YvgPEnUzvJZqqgb-lNj1M94f08yucGQETp7UZXA19h3qg%3D%3D&u=htt ps%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy