On Thursday, 12 April 2018 21:28:49 UTC+2, Alex Gaynor wrote:
> All that proves is the entire EV model cannot possibly accomplish what CAs
> claims (with respect to phishing and other similar concerns). To whit:
> - Two companies can validly possess trademarks for the same name in the
> United States (and I assume other jurisdictions)
> - A CA, or anyone else's ability to tell if the identity collision is being
> used maliciously to deceive is totally based on seeing what content is
> being served under that name; the reality of trademark law means that two
> organizations with the same name is not inherently deceptive
> - An actually malicious entity will not broadcast their name collision!
> Instead they'd probably have a benign website that normal users see, and at
> particular URLs sent to their victims, they'd serve the misleading content.
> In conclusion, revoking stripe.ian.sh while ignoring the broader issues WRT
> the limitations of EV's binding of real world corporate identity to domain
> control is security theater at its worst.
Actually as a browser user I've never understood what it is I'm supposed to
look for in the EV texts being displayed.
There is no definition what is in it nor in what format, many banks here show
their legal form (which is hardly something people would know or recognize),
some show the name of a holding they are part of, some don't even have EV, some
use all capitals, there is not even a requirement that the texts are unique...
So bottom line it's just free text.
And of very limited use for verifying that it's the organization you are
looking for, I'd say.
Adding some unspecified and therefore unknown "scrubbing" by CA's to it, does
not make tings any easier. How am I to know which EV's are protected by that
and which are not?
For instance, Stripe did not mean anything to me (and most people here in
Holland I expect) before it got used to demonstrate this "problem". So why
would our local Stripe, Duerswâld 23, 9241 GW Wijnjewoude not be allowed to
have just Stripe V.O.F. as their EV? It's only a restaurant, but from Dutch
perspective a lot more important that some payment provider elsewhere in the
So I'd say don't inventing and applying any unwritten new rules. It's useless
enough as it is. ;-)
dev-security-policy mailing list