As much as I hate to thread-police, I do want to re-iterate that the discussion about whether CAs should or should not issue certificates to legitimate domain holders, and/or whether they should revoke such certificates for domain holders, is itself an entirely separate issue, and one has been discussed heavily in the past, with positions being expressed. Similarly, the discussion of other ways to express revocation data, while interesting and itself rife with its own set of policy implications (consider the recent cessationOfOperation vs keyCompromise discussion), it's also not germane to a discussion about the value of EV UI :)
On Thu, Dec 14, 2017 at 10:13 AM, Tim Hollebeek via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Of course, the main reason Comodo gets sucked into this swamp is the > price point. That isn't necessarily their fault. > > As I've pointed out elsewhere, Comodo has some great ideas about fixing > revocation that would go a long way towards solving the "misbehave only > after issuance" problem that you correctly pointed out. > > -Tim > > > -----Original Message----- > > From: Rob Stradling [mailto:rob.stradl...@comodo.com] > > Sent: Thursday, December 14, 2017 6:01 AM > > To: Tim Hollebeek <tim.holleb...@digicert.com> > > Cc: Peter Gutmann <pgut...@cs.auckland.ac.nz>; Gervase Markham > > <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org; Tim > > Shirley <tshir...@trustwave.com> > > Subject: Re: On the value of EV > > > > On 14/12/17 00:25, Tim Hollebeek via dev-security-policy wrote: > > > If you look at where the HTTPS phishing certificates come from, they > > > come almost entirely from Let's Encrypt and Comodo. > > > > > > This is perhaps the best argument in favor of distinguishing between > > > CAs that care about phishing and those that don't. > > > > Tim, > > > > We reject certificate requests for sites that are already known to engage > in > > phishing, and we revoke (for all the good that does) certificates for > sites that > > are subsequently discovered to have engaged in phishing. > > > > IIUC, you're saying that "CAs that care about phishing" are ~100% > successful > > at avoiding issuing certs to phishing sites. If so, that's great! > Perhaps you > > could help us to become one of the "CAs that care about phishing" by > sharing > > your crystal ball technology with us, so that we too can avoid issuing > certs to > > sites that subsequently engage in phishing? > > > > -- > > Rob Stradling > > Senior Research & Development Scientist > > COMODO - Creating Trust Online > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
