On Thu, Apr 12, 2018 at 2:41 PM, Matthew Hardeman <mharde...@gmail.com>

> On Thu, Apr 12, 2018 at 1:24 PM, Eric Mill <e...@konklone.com> wrote:
>> Ian's intent may have been to demonstrate EV's weaknesses, but that
>> doesn't mean Ian was intending to deceive users. If Ian had used this to
>> try to get people to enter their Stripe credentials or something, then
>> that'd be one thing. But registering an LLC and then creating a cert for it
>> is a legitimate activity.
> Except that Ian intended to demonstrate that he could receive and maintain
> a valid EV certificate to be utilized in a manner which may deceive users.
> Not deceive with lies, but deceive in terms of buck their expectations.

But he did not deceive users. Demonstrating that this is possible is not
itself an act of deception.

As it is, this effectively censors Ian's website where he is making a
>> statement about how EV works and how it interacts with
>> trademark/registration laws, through his own registered business. That
>> statement is -- and I'm being serious -- being oppressed, based on a
>> capricious decision by a CA.
> The only sense in which it censors his website is that he doesn't
> presently have an EV certificate on it.  If he wants it to be available to
> the public again, he can get a DV certificate for it any time.

No, this act took his website down immediately for reasons related to its
statement (rather than any deceptive actions). That's censorship, even if
options exist to work around this censorship. If his registrar had disabled
his DNS, would it have been okay to describe that as "well, he can just get
another registrar who doesn't think his site is deceptive! Or he can just
use an IP address!". No, that would have been a Big Deal.

Of course, that would break his proof-of-concept exploit.  Which is the
> right outcome.  It demonstrates that an EV certificate used in a manner
> which might cause confusion will be revoked.  They're not stopping him from
> publishing.  He can still do that, without the benefit of an EV certificate.

The stripe.ian.sh site itself is not likely to cause confusion, and was not
an exploit. Here's what stripe.ian.sh looks like right now:

This is not going to confuse anyone into thinking they're interacting with
the payment processing company. Stripe, LLC, the Kentucky-registered
company owned by Ian Carroll, is perfectly free to publish the statement
above. If the payment processing company objects, their appropriate method
of redress in the US is through the judicial system, or other
government-designed arbitration processes.

> Ian is now not able to maintain this public demonstration on the internet
>> in any browser (including Chrome, since it's EV), despite having committed
>> no crimes, not having engaged in any malicious behavior, and not harmed any
>> users.
> He could always just use a DV certificate, but then he wouldn't be able to
> drag along GoDaddy's endorsement and attach it to his particular exercise
> of free speech to which GoDaddy apparently objects.

GoDaddy issuing an EV certificate can't be construed as endorsing the
speech on that website (and I am sure GoDaddy's lawyers would agree with
me!). GoDaddy would hardly be able to issue many EV certificates at all if
they were constantly expected to be endorsing the website contents of those
who receive them.

But the last part of your sentence is correct: GoDaddy apparently objects
to Ian's particular exercise of free speech. And that's the problem.

-- Eric

konklone.com | @konklone <https://twitter.com/konklone>
dev-security-policy mailing list

Reply via email to