Doug Beattie <doug.beat...@globalsign.com> writes: >One of the reasons that phishers don’t get EV certificates is because the >vetting process requires several interactions and corporate repositories >which end up revealing more about their identity. This leaves a trail back >to the individual that set up the fake site which discourages the use of EV.
Again, this is how it works in theory and in CA sales pitches (OK, that second bit was redundant). Since you can buy EV certs off-the-shelf from underground web sites, or get them directly yourself if you want to put in the effort, it obviously doesn't work that way in practice. In any case though that's just a distraction: Since phishing has been on the increase year after year, the existence of EV certs is entirely irrelevant. There's a great Dave Barry joke  where he explains how to threaten someone with dynamite: You call them up, hold the burning dynamite fuse up to the handset and say "You hear that? That's dynamite baby!". EV certs are the same thing. "You see that? That's an EV cert baby!". It's as effective a threat to phishing as Dave Barry's dynamite threat. Peter.  This joke has been credited to a number of sources, including Dave Barry. It sounds like a Dave Barry to me. _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy