On Thu, Apr 12, 2018 at 1:32 PM, Wayne Thayer <wtha...@mozilla.com> wrote:
> On Thu, Apr 12, 2018 at 10:28 AM, Matthew Hardeman <mharde...@gmail.com> > wrote: > >> >> >> On Thu, Apr 12, 2018 at 12:24 PM, Ryan Sleevi <r...@sleevi.com> wrote: >> >>> >>> So Apple Computer is misleading to customers of Apple Records, and Apple >>> Records is misleading to customers of Apple Computer, is that the argument? >>> In which case, no one named "Apple" should a certificate, right? >>> >>> >> Your example is perfect support for my position. >> >> Apple Computer and Apple Records have a long and well published animosity >> between them over sharing the name, but between lawsuits and settlement >> actions have managed to arrive at agreement where both can be Apple for >> certain uses and in certain scopes. >> >> What does the average internet user expect Apple to refer to? Yep - >> Apple the computer / iPhone people. Want it to say Apple? It needs to be >> them. >> >> If Apple Records wants an EV certificate that clearly says Apple Records >> I think that's clearly different enough that they should be able to. But >> not Apple, that's perverse to simple common everyday expectation. >> > > In this example, I believe the EV certs would contain O = "Apple, Inc." > and O = "Apple Corps Ltd", or at least O = "Apple Records (Apple Corps Ltd)" > Yet you can have O = "Apple (Apple, Inc.)" and O = "Apple (Apple Corps Ltd.)", at least under the EVGs today. Similarly, "Apple Computer", under the proposed methodology by Matthew, would not have been able to get an EV certificate, as at the time, "Apple Corps" was the more popular Apple. Which is part of why it's a terrible idea. Do we think those two Apple subject names are misleading? If yes, why? If no, what makes "O=Stripe, Inc., ST=Kentucky" misleading compared to "O=Stripe, Inc., ST=California"? For that matter, why isn't "O=Stripe, Inc., ST=California, jurisdictionStateOrProvinceName=Delaware" confusing - does the "average Internet user" understand the distinction between those two states being presented? Is saying they're in California misleading, since they're a Delaware corporation? In that regard, Ian's certificate is less misleading - he's incorporated where he operates. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
