On Thu, Apr 12, 2018 at 11:45 AM, Ryan Sleevi <r...@sleevi.com> wrote:

> In what way is it misleading though? It fully identified the organization
> that exists, which is a legitimate organization. Thus, the information that
> appears within the certificate itself is not misleading - and I don't think
> applies.

Because the common Internet user who has any awareness of the name Stripe
will expect that reference to be to the particular Stripe that processes
payments and that they've likely interacted with before.

> Or are we saying it's misleading because some browsers only display a
> portion of that information in their security UI? If so, is that a failure
> of the security UI (for not showing all the information present)? Or is the
> argument that it's misleading if any two entities share the same O and C
> (the information displayed)? Is it still misleading if the Cs differ? If
> this is the vein to take, should CAs then be responsible for examining CT
> (or other sources) to determine if two organizations share the same (or
> similar?) names, regardless of incorporation location, and refuse to issue
> if there is an extant cert for a different organization? Or we can continue
> taking the argument further, by suggesting that if a smaller organization
> gets the cert first, they could find their cert revoked if a more 'popular'
> organization with the same name wants a cert instead.
The smaller organization loosing the name to a more popular later comer is
possible, but it's unlikely that the party who arrives later will be able
to take the name if the smaller entity fights for it.  For that matter,
larger entities usually diligently search for a unique name to either buy
if need be or claim for their own.

> In the DNS space, this is an extremely complex, nuanced issue, with the
> whole Uniform Domain-Name Dispute Resolution Policy established, in part,
> to try to put parties on semi-equitable footing. The current approach being
> taken by CAs lacks that, lacks the transparency, and lacks the neutrality -
> all things one would expect from such policies.

There's no reason to make it that complex.  EV is an enhancement, not a
requirement.  The displayed name should be the issued to that party which
the largest majority of users recognize that name as being affiliated with.
dev-security-policy mailing list

Reply via email to