I'm merely an interested community member.
I'm writing because I'm aghast that yet another CA has issued a certificate for
Stripe, Inc.... of Kentucky.
One would think that the various commercial CAs would consider their communal
self-interests in today's marketplace.
The commercial CA historically has commanded significant valuation as a
recurring revenue model in a market with high barriers to entry.
Recently, however, economies of scale and new entrants have taken the value of
DV-certificates to approximately $0.00 at retail.
You'd think a premium product like EV certificates, which must be a significant
source of commercial CA revenue would be jealously policed and guarded by CAs.
You'd think the various CAs who are all required to read this mailing list
would keep up with the controversy around this same business entity and an EV
certificate issued and fairly promptly revoked by Comodo.
Everytime these matters arise, it raises serious community concerns to the
value and appropriateness of browser favoritism afforded EV certificates.
Will it survive this time? Who can say.
Be we definitely can ask GoDaddy CA why they issued a certificate for the same
entity that in quite recent memory sparked controversy on this forum.
PS - I strongly suggest that any CA interested in preserving EV revenue get
with the others and come up with a publish-for-opposition before issuance
scheme and mandatory field-of-use monitoring for lifetime of issued
certificates for EV or some real enhancement which will confound those would
attempt to get these kinds of certificates. This is technically not a
mis-issuance, and that's a significant problem for the value case of EV.
dev-security-policy mailing list