On Thu, Apr 12, 2018 at 1:24 PM, Eric Mill <e...@konklone.com> wrote:

> Ian's intent may have been to demonstrate EV's weaknesses, but that
> doesn't mean Ian was intending to deceive users. If Ian had used this to
> try to get people to enter their Stripe credentials or something, then
> that'd be one thing. But registering an LLC and then creating a cert for it
> is a legitimate activity.
Except that Ian intended to demonstrate that he could receive and maintain
a valid EV certificate to be utilized in a manner which may deceive users.
Not deceive with lies, but deceive in terms of buck their expectations.

> If Ian shouldn't have been allowed to register this business, then that's
> something the state/country he registered the business in should express
> through laws or adjudication of the registration. The rules and criteria
> for those processes are established in many countries through a process at
> least nominally responsive to public values.
> As it is, this effectively censors Ian's website where he is making a
> statement about how EV works and how it interacts with
> trademark/registration laws, through his own registered business. That
> statement is -- and I'm being serious -- being oppressed, based on a
> capricious decision by a CA.

The only sense in which it censors his website is that he doesn't presently
have an EV certificate on it.  If he wants it to be available to the public
again, he can get a DV certificate for it any time.  Of course, that would
break his proof-of-concept exploit.  Which is the right outcome.  It
demonstrates that an EV certificate used in a manner which might cause
confusion will be revoked.  They're not stopping him from publishing.  He
can still do that, without the benefit of an EV certificate.

> Ian is now not able to maintain this public demonstration on the internet
> in any browser (including Chrome, since it's EV), despite having committed
> no crimes, not having engaged in any malicious behavior, and not harmed any
> users.

He could always just use a DV certificate, but then he wouldn't be able to
drag along GoDaddy's endorsement and attach it to his particular exercise
of free speech to which GoDaddy apparently objects.
dev-security-policy mailing list

Reply via email to