While I understand that it may formally be beyond the scope formally to consider this in discussion with EV UI handling, I think some consideration to ecosystem harm is appropriate here.
If we eliminate EV UI, we have reduced the scope of WebPKI to domain validated certificates (in any pragmatic sense, anyway). At that point, we can look to the question of best source of validation. Conveniently. if the domain validation is all important, there is, for any given domain, a single entity authoritatively enshrined to answer at any given moment to whom and when a certificate may issue: the currently attached domain registrar. Taken ad absurdum, that's where an exclusively domain validation landscape leads. Any layer or validation mechanism above that merely adds potential for imperfections. And if there's only one assertion of identity left in the certificate, and there's a perfect data source, doesn't it follow that we'll just enshrine as WebPKI CAs the various fully approved domain registrars? Or perhaps even the registry, via interfaces exposed by the then-attached registrar? Every change in an ecosystem has effects intended and not. I'm concerned that the "not" on this should give more pause. On Mon, Dec 11, 2017 at 2:05 PM, Adam Caudill via dev-security-policy < [email protected]> wrote: > > However, I don't believe "technically correct, but intentionally > misleading" information should be included in certificates. The question > is how best to accomplish that. > > How would you determine what's misleading, and what isn't? As mentioned, > the Stripe, Inc of Kentucky could present an image of a legitimate company > in a completely different field as the better known Stripe, Inc of Delaware > (which, most people would associate with California based on where their > offices are). There's no way to know what the intended future use of the > company is, or just how legitimate the intentions of those behind it are. > > In a larger sense, and to the question that Ryan raises, what value has the > EV UI treatment added? In the case of Safari, it's clear that it's actually > quite harmful to a normal user. In the case of Firefox, it's likely that > the UI treatment would add confusion as a result of the legitimately issued > certificate to Stripe, Inc of Kentucky. Instead of adding value, adding > some type of assurance, all that the UI treatment has done is make it more > likely that the user will make an unfortunate mistake - a mistake they > likely wouldn't have made if they were focused on the URL instead of the > business name displayed. > > Adding the state would likely add no value, as most users would have no > idea where a business is incorporated - and this is often different from > where their offices are known to be, adding an additional level of > confusion. There is also the unrelated DBA issue, where the certificate is > issued to a company name that isn't familiar to the user, which is yet > another way the UI treatment adds confusion. > > While EV validation rules could be changed to make the rules more strict, > locking new businesses out, all it does is slow the process down - it > doesn't actually prevent name collisions which could be harmful. > > I have long felt that the EV UI treatment is unwarranted, and I still do > today. Removing the treatment from EV certificates, as it doesn't actually > add enough value to be justified, still seems to be the correct decision to > me. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
