(Reposting as I accidentally replied directly to OP ). Part of this discussion will necessarily have to include who the intended and potential beneficiaries of EV certificate status are:
1. Is it the common web end user? If so, EV either needs to go or be massively changed. 2. Is it for the kind of person who could properly investigate corporate documents and structure AND would have some benefit in knowing that a given website is asserted by cryptographic signature to be affiliated to a given real world entity? If so, few changes are needed but several could be helpful. The short version of the Stripe, Inc. case above is that the certificate is totally valid. Someone created a Stripe, Inc. in Kentucky and got the certificate, properly, for that. It's totally valid and normal for two different entities, totally unrelated, to be able to have the same business name in the United States. It happens all the time. The scope of name exclusivity in the US, and, indeed, in many jurisdictions is really quite complicated. The EV green bar display goes so far as to name the Country of the legal entity but goes no further. Even the certificate details only specify the registered address and name of a given entity. The format and its elements make no attempt to identify the official scope of the name or the authority. That would be something to address. Who is the registry? What's the scope of that registry's name exclusivity? Who is the REGISTRAR who interceded to create that registration. These are often different and often revealing. There are different directions to take solutions which address some of the concerns for EV status, but if there's a definitive position that EV handling -- if handling is to be special -- should only be granted in cases which benefit the broad-sweeping general public WebPKI end user, then all of these solutions (if effective) will involve some form of: 1. Requirement in objective/mostly objective terms of notoriety of client. High note-worthiness of EV applicant would be required. Validation procedures would modify to ensure that the commonly held "note worthy" entity is actually the one applying. 2. Stability of entity records. The corporate structure is known and has been unchanged, perhaps for a year or more. Effectively, no EV for startups or any new or restructured entity that can't show lengthly and broad claim to the name. 3. Pragmatically, to limit scope, probably would need to modify EV applicant process and qualifications to require that the applicant hold a national level registered trademark / servicemark and that the name included in the certificate be strongly associated with this/these. I could run down to an Alabama court house and establish in minutes the necessary documentation to get just about any EV certificate name I want. That's a problem, if the above doesn't happen and you still want EV to be useful to regular end users. If EV status is intended for business, asset management, and legal professionals, then it's easier. Add mandatory validated parameters for official registry from which the data was referenced (ex: Alabama Secretary of State, Corporations Division) as well as originally filed for registration (ex: State of AL, County of Jefferson Probate Court). Give the docket or document numbers or entity registration number as appropriate for each of these. Attempt to construe a scope of exclusivity and indicate that in lieu of just Country in the green bar. Thanks, Matt Hardeman _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
