On Thursday, 12 April 2018 21:28:49 UTC+2, Alex Gaynor  wrote:
> All that proves is the entire EV model cannot possibly accomplish what CAs
> claims (with respect to phishing and other similar concerns). To whit:
> - Two companies can validly possess trademarks for the same name in the
> United States (and I assume other jurisdictions)
> - A CA, or anyone else's ability to tell if the identity collision is being
> used maliciously to deceive is totally based on seeing what content is
> being served under that name; the reality of trademark law means that two
> organizations with the same name is not inherently deceptive
> - An actually malicious entity will not broadcast their name collision!
> Instead they'd probably have a benign website that normal users see, and at
> particular URLs sent to their victims, they'd serve the misleading content.
> In conclusion, revoking stripe.ian.sh while ignoring the broader issues WRT
> the limitations of EV's binding of real world corporate identity to domain
> control is security theater at its worst.

Actually as a browser user I've never understood what it is I'm supposed to 
look for in the EV texts being displayed.

There is no definition what is in it nor in what format, many banks here show 
their legal form (which is hardly something people would know or recognize), 
some show the name of a holding they are part of, some don't even have EV, some 
use all capitals, there is not even a requirement that the texts are unique... 
So bottom line it's just free text.

And of very limited use for verifying that it's the organization you are 
looking for, I'd say.

Adding some unspecified and therefore unknown "scrubbing" by CA's to it, does 
not make tings any easier. How am I to know which EV's are protected by that 
and which are not?

For instance, Stripe did not mean anything to me (and most people here in 
Holland I expect) before it got used to demonstrate this "problem". So why 
would our local Stripe, Duerswâld 23, 9241 GW Wijnjewoude not be allowed to 
have just Stripe V.O.F. as their EV? It's only a restaurant, but from Dutch 
perspective a lot more important that some payment provider elsewhere in the 

So I'd say don't inventing and applying any unwritten new rules. It's useless 
enough as it is. ;-)

CU Hans
dev-security-policy mailing list

Reply via email to