Stripe, Inc could very well be a road striping company. This may have situationally been the equivalent of a misleading certificate but the scenario of name collisions is real.
Ryan Hurst On Monday, December 11, 2017 at 11:39:57 AM UTC-8, Tim Hollebeek wrote: > Nobody is disputing the fact that these certificates were legitimate given > the rules that exist today. > > However, I don't believe "technically correct, but intentionally misleading" > information should be included in certificates. The question is how best to > accomplish that. > > -Tim > > -----Original Message----- > From: Jonathan Rudenberg [mailto:[email protected]] > Sent: Monday, December 11, 2017 12:34 PM > To: Tim Hollebeek <[email protected]> > Cc: Ryan Sleevi <[email protected]>; > [email protected] > Subject: Re: On the value of EV > > > > On Dec 11, 2017, at 14:14, Tim Hollebeek via dev-security-policy > > <[email protected]> wrote: > > > > > > It turns out that the CA/Browser Validation working group is currently > > looking into how to address these issues, in order to tighten up > > validation in these cases. > > This isn’t a validation issue. Both certificates were properly validated and > have correct (but very misleading information) in them. Business entity names > are not unique, so it’s not clear how validation changes could address this. > > I think it makes a lot of sense to get rid of the EV UI, as it can be > trivially used to present misleading information to users in the most > security-critical browser UI area. My understanding is that the research done > to date shows that EV does not help users defend against phishing attacks, it > does not influence decision making, and users don’t understand or are > confused by EV. > > Jonathan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
