Reposting as I accidentally sent to Mr. Mill only.
On Thu, Apr 12, 2018 at 1:57 PM, Eric Mill <e...@konklone.com> wrote:
> But he did not deceive users. Demonstrating that this is possible is not
> itself an act of deception.
Except that if he can't maintain a working EV certificate in a name that
may deceive users, then that would make the text misleading/deceiving. In
a lovely chicken/egg debate fashion, the CA managed to make his website
> As it is, this effectively censors Ian's website where he is making a
>>> statement about how EV works and how it interacts with
>>> trademark/registration laws, through his own registered business. That
>>> statement is -- and I'm being serious -- being oppressed, based on a
>>> capricious decision by a CA.
>> The only sense in which it censors his website is that he doesn't
>> presently have an EV certificate on it. If he wants it to be available to
>> the public again, he can get a DV certificate for it any time.
> No, this act took his website down immediately for reasons related to its
> statement (rather than any deceptive actions). That's censorship, even if
> options exist to work around this censorship. If his registrar had disabled
> his DNS, would it have been okay to describe that as "well, he can just get
> another registrar who doesn't think his site is deceptive! Or he can just
> use an IP address!". No, that would have been a Big Deal.
Except that by killing the certificate, the CA has demonstrated that he
can't get and keep an EV certificate with a deceptive name. If his text
suggests otherwise, it's now deceptive.
> Of course, that would break his proof-of-concept exploit. Which is the
>> right outcome. It demonstrates that an EV certificate used in a manner
>> which might cause confusion will be revoked. They're not stopping him from
>> publishing. He can still do that, without the benefit of an EV certificate.
> The stripe.ian.sh site itself is not likely to cause confusion, and was
> not an exploit. Here's what stripe.ian.sh looks like right now:
> This is not going to confuse anyone into thinking they're interacting with
> the payment processing company. Stripe, LLC, the Kentucky-registered
> company owned by Ian Carroll, is perfectly free to publish the statement
> above. If the payment processing company objects, their appropriate method
> of redress in the US is through the judicial system, or other
> government-designed arbitration processes.
The confusion that they object to is presumably that the certificate would
be allowed. By not allowing it, they made that come true.
>> Ian is now not able to maintain this public demonstration on the internet
>>> in any browser (including Chrome, since it's EV), despite having committed
>>> no crimes, not having engaged in any malicious behavior, and not harmed any
>> He could always just use a DV certificate, but then he wouldn't be able
>> to drag along GoDaddy's endorsement and attach it to his particular
>> exercise of free speech to which GoDaddy apparently objects.
> GoDaddy issuing an EV certificate can't be construed as endorsing the
> speech on that website (and I am sure GoDaddy's lawyers would agree with
> me!). GoDaddy would hardly be able to issue many EV certificates at all if
> they were constantly expected to be endorsing the website contents of those
> who receive them.
Of course they would. And for all kinds of liability reasons that should
remain the official line. Having said that, it's pretty apparent that the
users who do look at EV indicators do seem to rely upon it as at least an
endorsement of the identity of the party you're communicating with. No
doubt GoDaddy is aware of that and doesn't intend to disabuse the public of
dev-security-policy mailing list