> See also the screenshot I posted earlier.  That was from a black-market web
> site selling EV certificates to anyone with the stolen credit cards to pay for
> them.  These are legit EV certs issued to legit companies, available off the
> shelf for criminals to use.  For a little extra payment you can get ones with
> high SmartShield scores so your malware is instantly trusted by the victim's
> PC.


Are you referring to EV Code Signing certificates? I agree that needs to be 
addressed in another forum, but this discussion in on EV SSL/TLS and their 
value (or lack thereof) in the browser UI. Browsers do not support EV Code 
Signing in the UI as far as I know. 

It's been documented that EV Code Signing certificates are on the black market. 
Did you see the same thing for EV SSL/TLS? 


> >The burden is not on the web browsers to prove that EV is detrimental to
> >security - the burden is on third parties to prove that EV is beneficial.
> Yup, as per my previous post.  We've got a vast amounts of data on this, if
> there was a benefit to users then it shouldn't be hard to show that from the
> data.
> Peter.

dev-security-policy mailing list

Reply via email to