> On Dec 12, 2017, at 08:36, Jakob Bohm via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > A lot of people have posed suggestions for countermeasures so extreme > they should not be taken seriously. This includes discontinuing EV,
I don’t think that removing the EV UI is extreme, and it should definitely be taken seriously. The default Android browsers do not have EV at all, and many mobile browsers on iOS and Android including Chrome, Firefox, and Brave do not either. Those browsers combined have a huge number of pageviews that do not have any EV UI right now. Additionally, all of the research I’ve seen shows that most users have no idea what is going on with EV and that it doesn’t help protect users. > Here is a more reasonable suggestion: > > 1. In the Fx UI, display the actual jurisdictionOfIncorporation instead > of just the country, especially where those differ (For example > Kentucky versus all-of-US). It’s not clear how this will help. The jurisdiction that a business entity is incorporated in is unrelated to the physical location that the user associates with a website (if any) is based on factors related to corporate law and taxation. Even if all users were able to use the EV UI constructively somehow (they aren’t), adding a piece of information that is effectively arbitrary is not useful. > 2. Add a rule that if there is a big national or international company > with a name, other companies cannot get certificates for the same > name in related jurisdictions. For example if there is a company > listed on NYSE or NASDAQ, no similarly named US company can get an > EV or OV certificate for that name. Ditto for a reasonable list of > national registries in each country. CAs should be required to > publicly state which "big-status" lists beat local > company/organization registrations in each country, and similar for > any special lists of major global organizations, such as Google or > The Red Cross. How similar is similar? What if Bancorpsouth Inc, The Bancorp Inc., and U.S. Bancorp all want your EV++ certificates? What about Apple Inc. and Apple Corps Ltd? Business entity names are not unique. Trying to enforce a unique constraint against them, especially with an additional “similarity” fuzzy layer is just asking for trouble. Trying to have users also make that determination (which is the current state of EV) is similarly troublesome. Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
