On Thu, Apr 12, 2018 at 2:28 PM, Alex Gaynor <agay...@mozilla.com> wrote:

> All that proves is the entire EV model cannot possibly accomplish what CAs
> claims (with respect to phishing and other similar concerns). To whit:
> - Two companies can validly possess trademarks for the same name in the
> United States (and I assume other jurisdictions)
> - A CA, or anyone else's ability to tell if the identity collision is
> being used maliciously to deceive is totally based on seeing what content
> is being served under that name; the reality of trademark law means that
> two organizations with the same name is not inherently deceptive
> - An actually malicious entity will not broadcast their name collision!
> Instead they'd probably have a benign website that normal users see, and at
> particular URLs sent to their victims, they'd serve the misleading content.
> In conclusion, revoking stripe.ian.sh while ignoring the broader issues
> WRT the limitations of EV's binding of real world corporate identity to
> domain control is security theater at its worst.
> Alex
I do believe that the EV guidelines and program as it exists today need to
change.  Clearly, the direction I would change it in is ideologically at
odds with a majority of active participants who've weighed in to this point.

Perhaps EV changes to require a seasoned history?
Perhaps EV requires advance publication for scrutiny by the public and
current holders?
Perhaps EV requires active monitoring of the sites of the active corpus of
certs by the issuing CAs?

I'd rather see an optional enhanced trust indicator with reasonable
guidelines and enforcement than have numerous charlatans manage to get one
or more garbage ones incorporated into some moronic regulatory scheme.
dev-security-policy mailing list

Reply via email to