On Thu, Apr 12, 2018 at 2:41 PM, Matthew Hardeman <mharde...@gmail.com> wrote:
> > > On Thu, Apr 12, 2018 at 1:24 PM, Eric Mill <e...@konklone.com> wrote: > >> Ian's intent may have been to demonstrate EV's weaknesses, but that >> doesn't mean Ian was intending to deceive users. If Ian had used this to >> try to get people to enter their Stripe credentials or something, then >> that'd be one thing. But registering an LLC and then creating a cert for it >> is a legitimate activity. >> >> > Except that Ian intended to demonstrate that he could receive and maintain > a valid EV certificate to be utilized in a manner which may deceive users. > Not deceive with lies, but deceive in terms of buck their expectations. > But he did not deceive users. Demonstrating that this is possible is not itself an act of deception. As it is, this effectively censors Ian's website where he is making a >> statement about how EV works and how it interacts with >> trademark/registration laws, through his own registered business. That >> statement is -- and I'm being serious -- being oppressed, based on a >> capricious decision by a CA. >> > > The only sense in which it censors his website is that he doesn't > presently have an EV certificate on it. If he wants it to be available to > the public again, he can get a DV certificate for it any time. > No, this act took his website down immediately for reasons related to its statement (rather than any deceptive actions). That's censorship, even if options exist to work around this censorship. If his registrar had disabled his DNS, would it have been okay to describe that as "well, he can just get another registrar who doesn't think his site is deceptive! Or he can just use an IP address!". No, that would have been a Big Deal. Of course, that would break his proof-of-concept exploit. Which is the > right outcome. It demonstrates that an EV certificate used in a manner > which might cause confusion will be revoked. They're not stopping him from > publishing. He can still do that, without the benefit of an EV certificate. > The stripe.ian.sh site itself is not likely to cause confusion, and was not an exploit. Here's what stripe.ian.sh looks like right now: This is not going to confuse anyone into thinking they're interacting with the payment processing company. Stripe, LLC, the Kentucky-registered company owned by Ian Carroll, is perfectly free to publish the statement above. If the payment processing company objects, their appropriate method of redress in the US is through the judicial system, or other government-designed arbitration processes. > Ian is now not able to maintain this public demonstration on the internet >> in any browser (including Chrome, since it's EV), despite having committed >> no crimes, not having engaged in any malicious behavior, and not harmed any >> users. >> > > He could always just use a DV certificate, but then he wouldn't be able to > drag along GoDaddy's endorsement and attach it to his particular exercise > of free speech to which GoDaddy apparently objects. > GoDaddy issuing an EV certificate can't be construed as endorsing the speech on that website (and I am sure GoDaddy's lawyers would agree with me!). GoDaddy would hardly be able to issue many EV certificates at all if they were constantly expected to be endorsing the website contents of those who receive them. But the last part of your sentence is correct: GoDaddy apparently objects to Ian's particular exercise of free speech. And that's the problem. -- Eric -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy