On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote:
> Yes, I work for a CA that issues EV certificates, but if there was no value 
> in them, then our customers would certainly not be paying extra for them.  
> Shouldn’t the large enterprises that see a value in identity (as does 
> GlobalSign) drive the need for ending EV certificates?  With Google and 
> Mozilla being prominent Lets Encrypt sponsors we know their intent is to 
> drive business to them vs. any of the commercially respectable CAs.  It’s 
> actually counter productive to security to sponsor a CA that issues so many 
> certificates to phishing and malware sites without any consequences.  Is this 
> to increase the value of their malware site detection services?  Maybe..
> *     https://www.usenix.org/system/files/soups2019-drury.pdf
> *     
> https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf 
> Baffled…

I'm baffled that anyone who has worked for a corporation could, in good faith, 
wonder how executives could be hoodwinked by "security" people telling them 
they need EV certificates, and then going to their low-level tech grunts and 
demanding implementation regardless of value. I have been involved in multiple 
such discussions, and it's always the same.
dev-security-policy mailing list

Reply via email to