On Mon, Dec 11, 2017 at 2:39 PM, Tim Hollebeek <[email protected]> wrote:
> Nobody is disputing the fact that these certificates were legitimate given > the rules that exist today. > > However, I don't believe "technically correct, but intentionally > misleading" information should be included in certificates. The question > is how best to accomplish that. > > -Tim > Note: Jonathan did not mention "intentionally" misleading (instead "properly validated and have correct (but very misleading information) in them". Similarly, I noted that it was providing "accurate-but-misleading". Unless the CA/Browser Forum has determined a way to discern intent (which would be a profound breakthrough in and of itself), we cannot and should not consider intent, and must merely evaluate based on result. As such, the only way to remedy this information is to deny one or more parties the ability to obtain certificates that correctly and accurately reflect their organizational information, which is nominally the value proposition of EV certificates. Unless we're willing to redefine EV certificates as being something other tied to the legal identifier, I don't believe it's fair or beneficial to suggest we can resolve this through validation means. To that end, given the inherent confusion that results from legal identities - and, again, this is a fully valid legal identity being used - I raised the question as to whether or not it should be given the same UI treatment as the unambiguous, fully qualified URL. One option, as noted, is to fully qualify the organization information, if users are to be expected to recognize the nuances of legal identities (and why so many sites seem to be in Delaware and Nevada). However, that seems exceptionally user-hostile and to ignore countless research studies, so another option would be to consider removing the (unqualified) legal identity from the address bar. > > -----Original Message----- > From: Jonathan Rudenberg [mailto:[email protected]] > Sent: Monday, December 11, 2017 12:34 PM > To: Tim Hollebeek <[email protected]> > Cc: Ryan Sleevi <[email protected]>; mozilla-dev-security-policy@ > lists.mozilla.org > Subject: Re: On the value of EV > > > > On Dec 11, 2017, at 14:14, Tim Hollebeek via dev-security-policy < > [email protected]> wrote: > > > > > > It turns out that the CA/Browser Validation working group is currently > > looking into how to address these issues, in order to tighten up > > validation in these cases. > > This isn’t a validation issue. Both certificates were properly validated > and have correct (but very misleading information) in them. Business entity > names are not unique, so it’s not clear how validation changes could > address this. > > I think it makes a lot of sense to get rid of the EV UI, as it can be > trivially used to present misleading information to users in the most > security-critical browser UI area. My understanding is that the research > done to date shows that EV does not help users defend against phishing > attacks, it does not influence decision making, and users don’t understand > or are confused by EV. > > Jonathan > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
