Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
><https://www.typewritten.net/writer/ev-phishing/> and ><https://stripe.ian.sh/> both took advantage of weaknesses in two >government registries They weren't "weaknesses in government registries", they were registries working as designed, and as intended. The fact that they don't work in they way EV wishes they did is a flaw in EV, not a problem with the registries. >Both demonstrations caused the researchers real name and identity to become >part of the CA record, which was hand waved away by claiming that could >have been avoided by criminal means. It wasn't "wished away", it's avoided without too much trouble by criminals, see my earlier screenshot of just one of numerous black-market sites where you can buy fraudulent EV certs from registered companies. Again, EV may wish this wasn't the case, but that's not how the real world works. >12 years old study involving en equally outdated browser. So you've published a more recent peer-reviewed academic study that refutes the earlier work? Could you send us the reference? Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
