Leo Grove via dev-security-policy <dev-security-policy@lists.mozilla.org> 

>Are you referring to EV Code Signing certificates? I agree that needs to be
>addressed in another forum, but this discussion in on EV SSL/TLS and their
>value (or lack thereof) in the browser UI. Browsers do not support EV Code
>Signing in the UI as far as I know.
>It's been documented that EV Code Signing certificates are on the black
>market. Did you see the same thing for EV SSL/TLS?

Yes, you can buy both, I used the code-signing EV one because I happened to
have a screenshot handy from a writeup I'm working on.  In addition, EV code-
signing certs are much higher value, particularly when they come with
SmartScreen ratings, because they give you instant malware execution on a
billion plus systems, while EV web site certs are kinda meh.  So EV code
signing is the holy grail, the hardest to get, and yet they're readily
available on the black market.  EV web site certs are an afterthought in
comparison, "we also have those if you want 'em".

dev-security-policy mailing list

Reply via email to