On Thu, Apr 12, 2018 at 12:54 PM, Matthew Hardeman <mharde...@gmail.com>
> Because the common Internet user who has any awareness of the name Stripe
> will expect that reference to be to the particular Stripe that processes
> payments and that they've likely interacted with before.

This is a patently distateful argument based on broad generalizations that
do not hold any merit. I realize you've acknowledged your argument is
fundamentally a popularity contest, but it seems to really base its core on
"Whoever Matthew Hardeman doesn't think should have a certificate" -
because there's zero data to support your claim that "will expect", or a
definition of what constitutes a "common Internet user" (especially in a
global context). I realize it sounds compelling, but you're making up
strawmen to support that argument, and the core is an opposition to some
people being able to get (EV) certificates as a result.

> In the DNS space, this is an extremely complex, nuanced issue, with the
>> whole Uniform Domain-Name Dispute Resolution Policy established, in part,
>> to try to put parties on semi-equitable footing. The current approach being
>> taken by CAs lacks that, lacks the transparency, and lacks the neutrality -
>> all things one would expect from such policies.
> There's no reason to make it that complex.  EV is an enhancement, not a
> requirement.  The displayed name should be the issued to that party which
> the largest majority of users recognize that name as being affiliated with.

So the rules are made up and the certificates are meaningless, then, since
it's all a popularity contest with shifting requirements based on made up
ideas. It's certificate Calvinball, and it's a rather silly game to play
because of it.
dev-security-policy mailing list

Reply via email to