On Mon, Dec 11, 2017 at 1:37 PM, Ryan Sleevi <[email protected]> wrote:
> > > On Mon, Dec 11, 2017 at 2:31 PM, Matthew Hardeman via dev-security-policy > <[email protected]> wrote: > >> (Reposting as I accidentally replied directly to OP ). >> >> Part of this discussion will necessarily have to include who the intended >> and potential beneficiaries of EV certificate status are: >> >> 1. Is it the common web end user? If so, EV either needs to go or be >> massively changed. >> 2. Is it for the kind of person who could properly investigate corporate >> documents and structure AND would have some benefit in knowing that a >> given >> website is asserted by cryptographic signature to be affiliated to a given >> real world entity? If so, few changes are needed but several could be >> helpful. >> > > Agreed that these are potential goals, which is why I tried to provide a > specific and narrow set of questions, so that we can avoid ratholing on > those. > > Specifically, I was asking about 1, as that is what comes from the UI > treatment. A conclusion of 2 implies the UI should go. > In general I would concur that if #2, the UI should go. I think it's appropriate to raise a question of whether EV can be fixed rather than dropped. I concur that as it sits, it's broken and can be exploited to achieve an outcome perverse to EV's stated goals. > > >> 1. Requirement in objective/mostly objective terms of notoriety of >> client. High note-worthiness of EV applicant would be required. >> Validation procedures would modify to ensure that the commonly held "note >> worthy" entity is actually the one applying. >> > > Naturally, this falls apart at "Internet scale" > EV issuance is by requirement and definition a manual process. To the extent that all manual processes fail at internet scale, sure. To the extent that the outcome of a manual process can still provide useful information to end users, I do not agree with your conclusion that this falls apart. > > >> 2. Stability of entity records. The corporate structure is known and has >> been unchanged, perhaps for a year or more. Effectively, no EV for >> startups or any new or restructured entity that can't show lengthly and >> broad claim to the name. >> > > This seems to create a bifurcated Internet which is not "open and > accessible" (per Item 2 on the Mozilla Manifesto). Namely, if it favors or > empowers incumbents, and the only ability to be trusted by users is to 'sit > around' so you have a stable corporate identity, then we're not creating a > neutral, open platform. > Let's be honest, here, though. EV status was intended to discriminate against scammers, phishers, and resourceful MITMs. That's not "open and accessible" either, strictly speaking. Yet, we've tolerated it. > > >> If EV status is intended for business, asset management, and legal >> professionals, then it's easier. Add mandatory validated parameters for >> official registry from which the data was referenced (ex: Alabama >> Secretary >> of State, Corporations Division) as well as originally filed for >> registration (ex: State of AL, County of Jefferson Probate Court). Give >> the docket or document numbers or entity registration number as >> appropriate >> for each of these. Attempt to construe a scope of exclusivity and >> indicate >> that in lieu of just Country in the green bar. >> > > The EV guidelines already encompass this information - the jurisdiction > fields, combined with the serialNumber, which is the unique identifying > number for that entity within the jurisdictional registry, which is unique > per jurisdictional boundary. > Sadly, the current parameters do not fully encompass the legal possibilities. At a minimum, it is deficient that the purportedly authoritative registry, as according to the CA, is not explicitly named. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
