On Mon, Dec 11, 2017 at 3:43 PM, Matthew Hardeman <[email protected]> wrote:
> I don't denigrate the recent work done. Not at all. > > This "exploit" is long known to those in the know. > > My key objection is that there needs to be a way to validate that the > brick and mortar bank you've done business with for years _is_ the same > group as currenrtly has web domain xyz. > I understand this objection, but I don't think it's supported - by the technology, by the research, or by the implementation. That is, I don't think we should conflate the need with the solution - and I don't think we should ignore that the 'solution' at present isn't. Something significant is lost if that capability disappears. > I'm not sure that the capability was there to begin with. > Some would argue that any diminished capability there qualifies the > treatment to be removed. > > Some would argue that we should fix the holes in the scheme, even if those > fixes are draconian and exclude startups. > > Can we accept that there is value in being sure that website XYZ actually > is the bank down the road? > I don't disagree there is value in the abstract, but it's fair to ask whether EV the certificate technology and EV the UI achieve that. I think it's reasonable to point out that the latter certainly does not, and to call into question the former. We should also recognize that there is active harm caused by suggesting it does achieve those goals, or should achieve those goals, and that's reasonable to question the foundational premise. It feels like, to some extent, this is a question about whether we should point out the Emperor has no clothes if we don't have clothes to offer him. It'd be great if they was wearing some, I agree - the Emperor does need clothes. But that doesn't mean we should pretend they are wearing clothes simply because we don't have any to offer them. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
