| As the token bad guy in this forum, I can promise you that I will resort to trickery, deception, lies, fraud, and even theft in order to get what I want. It should, perhaps, come as no surprise that those same tactics will surface when applying for an EV cert. With that in mind, it is in the CA's own best interest to improve the policies and requirements behind EV issuance. The finance industry has regulations generally known as "Know Your Customer" (KYC) that are intended to stave off such things as money laundering, terrorist financing, and such. While not directly applicable to CA's and EV, KYC nonetheless might serve as a model whereby clients are scrutinized before certain actions are permitted by the CA. For example, it seems indefensible to me that a CA should issue a EV cert to a company that has no prior history and offers only the thinnest of evidence to its legitimacy, as was documented in the original reports. All CA's must do better in that regard. I don't think it's unreasonable for CA's to have a documented, pre-existing relationship with a EV requester prior to the actual EV issuance. Further, a EV requester must do more than offer its existence but be able to prove its legitimacy as an organization, institution, individual, and so forth. Such a requester should already have a presence on the Internet and, ideally, can demonstrate a level of competency in operating a secure web server. There seems no justification in my mind for a company to go from nonexistent to EV cert holder in 24 hours' time, for instance. I also would discourage the use of statements such as "EV will prevent phishing attacks" as such claims are misleading. A phishing attack may take many forms, and setting up a fake website is but one of them. Likewise, my reasons for setting up a fake website are many and might have nothing to do with phishing. Instead, I would recommend a more direct approach: "EV certs allow you to associate your company name with your domain names". There is value in that alone. Again I will state that it's in the best interests of CA's to improve their EV issuing guidelines and practices. While CA's no doubt enjoy charging a premium for EV services there is no reason for browsers or the security community to recognize any service that based on vapor. Indeed, the community seems to be saying right now that the status quo is not acceptable. The time for action is now.
Happy to share the details. We only had about 10 minutes on the agenda, so the discussion hasn’t been too detailed so far (there is still a lot of fallout from CAA that is dominating many validation discussions). There was a general consensus that companies with intentionally misleading names, and companies that are recently created shell companies solely for the purpose of obtaining a certificate should not be able to get an EV certificate. Exactly what additional validation or rules might help with that problem, while not unnecessarily burdening legitimate businesses will require more time and discussion, which is why if anyone has good ideas, I’d love to hear them. | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
