On 12/12/2017 18:31, Jonathan Rudenberg wrote:
On Dec 12, 2017, at 08:36, Jakob Bohm via dev-security-policy
<[email protected]> wrote:
A lot of people have posed suggestions for countermeasures so extreme
they should not be taken seriously. This includes discontinuing EV,
I don’t think that removing the EV UI is extreme, and it should definitely be
taken seriously. The default Android browsers do not have EV at all, and many
mobile browsers on iOS and Android including Chrome, Firefox, and Brave do not
either. Those browsers combined have a huge number of pageviews that do not
have any EV UI right now.
Using intentionally non-functional mini-browsers as examples of what
functionality can be removed from serious desktop browsers is a really
bad idea. Just look at how the market has widely rejected attempts to
put a mobile device user interface on PCs.
Additionally, all of the research I’ve seen shows that most users have no idea
what is going on with EV and that it doesn’t help protect users.
While the EV interface is confusing to users (with such misleading
elements as "The website does not supply identity information" displayed
for OV certificates), the difference between having their name and
address displayed in the browser is very effectively marketed to
business owners, and arguably adds to the user's sense of being on an
official site.
This is the same situation for many of the other marks and decals that
can be displayed by a business, online or offline. Most users don't
understand the full meaning and implications, but still semi-consciously
use them to tell reputable businesses from dodgy ones.
Here is a more reasonable suggestion:
1. In the Fx UI, display the actual jurisdictionOfIncorporation instead
of just the country, especially where those differ (For example
Kentucky versus all-of-US).
It’s not clear how this will help. The jurisdiction that a business entity is
incorporated in is unrelated to the physical location that the user associates
with a website (if any) is based on factors related to corporate law and
taxation. Even if all users were able to use the EV UI constructively somehow
(they aren’t), adding a piece of information that is effectively arbitrary is
not useful.
This is only the case for tax-dodging company structures. It is rarely
the case for local businesses, which is the case where distinguishing
between equally-genuine companies in different places matter to users.
2. Add a rule that if there is a big national or international company
with a name, other companies cannot get certificates for the same
name in related jurisdictions. For example if there is a company
listed on NYSE or NASDAQ, no similarly named US company can get an
EV or OV certificate for that name. Ditto for a reasonable list of
national registries in each country. CAs should be required to
publicly state which "big-status" lists beat local
company/organization registrations in each country, and similar for
any special lists of major global organizations, such as Google or
The Red Cross.
How similar is similar? What if Bancorpsouth Inc, The Bancorp Inc., and U.S.
Bancorp all want your EV++ certificates? What about Apple Inc. and Apple Corps
Ltd? Business entity names are not unique. Trying to enforce a unique
constraint against them, especially with an additional “similarity” fuzzy layer
is just asking for trouble. Trying to have users also make that determination
(which is the current state of EV) is similarly troublesome.
The similarity factor would be very limited. Something like "strip away
words that just mean company or organization, replace punctuation by
spaces, then compare case-insensitively".
Anyway, the similarity thing is not the point, the point would be about
essentially identical company names, such as "Apple" (Beatles music
rights company) vs. "Apple" (California Computer and music company named
after the Beatles one). While Beatles are themselves famous, their
company entity has a very small international presence compared to the
computer company.
And there is also the option of just letting governments (including
courts) deal with the risk of companies holding misleading names, and
simply declaring that this is not our problem. If the government says
this company is allowed to call itself Spring Inc, it can get an EV
certificate for Spring Inc. (Domain names in EV certs should still be
subject to domain verification).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
