On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote:
So far I see is a number of contrived test cases picking apart small components 
of EV, and no real data to back it up.
I also would like to see more evidence of problems. However, I have to object to the idea that
Mostly academic...research, imho...
is of little value. This treads dangerously close to nihilism.
https://stripe.ian.sh/: EV certificates with colliding entity names can be 
generated, but to date, I don’t know of any real attacks, just this academic 
exercise. And how much did it cost and how long did it Ian to get certificates 
to perform this experiment?  Way more time and money that a phisher would 
I question that a phisher, who stands potentially to gain hundreds of thousands or millions of dollars by phishing, e.g., the customers of a major bank, would not, as this paper says, invest "48 hours from incorporation to the issuance of the certificate" and "$177". This is a trivial investment for a non-frivolous financial phisher, let alone, say, a foreign government interested in phishing, say, a voter-registration (or -- shudder! -- an e-voting) site.
Yes, I work for a CA that issues EV certificates, but if there was no value in 
them, then our customers would certainly not be paying extra for them.
That your customers may perceive additional value in them doesn't mean that they provide additional value to the general internet user. That said, I lean toward Mozilla letting this debate settle out before hiding EV support in release Firefox.


dev-security-policy mailing list

Reply via email to