I'm merely an interested community member.

I'm writing because I'm aghast that yet another CA has issued a certificate for 
Stripe, Inc.... of Kentucky.

One would think that the various commercial CAs would consider their communal 
self-interests in today's marketplace.

The commercial CA historically has commanded significant valuation as a 
recurring revenue model in a market with high barriers to entry.

Recently, however, economies of scale and new entrants have taken the value of 
DV-certificates to approximately $0.00 at retail.

You'd think a premium product like EV certificates, which must be a significant 
source of commercial CA revenue would be jealously policed and guarded by CAs.

You'd think the various CAs who are all required to read this mailing list 
would keep up with the controversy around this same business entity and an EV 
certificate issued and fairly promptly revoked by Comodo.

Everytime these matters arise, it raises serious community concerns to the 
value and appropriateness of browser favoritism afforded EV certificates.

Will it survive this time?  Who can say.

Be we definitely can ask GoDaddy CA why they issued a certificate for the same 
entity that in quite recent memory sparked controversy on this forum.



PS - I strongly suggest that any CA interested in preserving EV revenue get 
with the others and come up with a publish-for-opposition before issuance 
scheme and mandatory field-of-use monitoring for lifetime of issued 
certificates for EV or some real enhancement which will confound those would 
attempt to get these kinds of certificates.  This is technically not a 
mis-issuance, and that's a significant problem for the value case of EV.
dev-security-policy mailing list

Reply via email to