On Wed, Aug 28, 2019 at 11:51:37AM -0700, Josef Schneider via 
dev-security-policy wrote:
> Am Dienstag, 27. August 2019 00:48:38 UTC+2 schrieb Matt Palmer:
> > On Mon, Aug 26, 2019 at 05:39:14AM -0700, Josef Schneider via 
> > dev-security-policy wrote:
> > > Sure I can register a company and get an EV certificate for that company. 
> > > But can I do this completely anonymous like getting a DV cert?
> > 
> > Yes.
> Not legally probably

Someone planning to commit fraud is unlikely to be deterred by the need to
commit fraud in order to commit fraud.

> and this also depends on the jurisdiction.  Since an
> EV cert shows the jurisdiction, a user can draw conclusions from that.

You're suggesting that Relying Parties need to familiarise themselves with
the validation procedures of every jurisdiction which is listed in an EV
certificate they are presented with, in order to establish the
trustworthiness of that EV certificate?

I'm just going to leave that there.  For posterity.

> > > Nobody is arguing that EV certificates are perfect and everything is good
> > > if you use them.  But they do raise the bar for criminals.  And in my
> > > opinion, significantly.
> > 
> > Except criminals don't need them.  Raising the bar doesn't help if you don't
> > need to go over the bar.
> But removing the bar is also not the correct solution.  If you find out
> that the back door to your house is not secured properly, will you remove
> the front door because it doesn't matter anyway or do you strengthen the
> back door?

The problem with your analogy is that, in the case under discussion, there
is no known way to secure the back door, and it's the broken and unfixable
back door, not the front door, that is being removed.

So yes, if my back door was insecure, and the best information available
indicated that it couldn't be secured, and it was causing me time and money
to maintain in its current, insecure, state, I would absolutely remove it. 
I expect you would, too.  Although I can certainly understand that if you
were making money by allowing people to use my broken back door, you might
want to encourage me not to remove it.

> > > What I propose is for mozilla to not say "Fuck it, it's not working, just
> > > remove it!" but instead try to focus on finding a better UX solution to
> > > the problem that end users are not aware if a site that should have an EV
> > > certificate is not presenting one.
> > 
> > Why should Mozilla do all this work?  So far, all the evidence suggests that
> > EV certs do not do what their advocates say they do, and have a significant
> > cost to browsers (code complexity, administration of EV bits, etc) and
> > relying parties (need to learn what the EV UI means, what it does and
> > doesn't claim, etc).
> Why should Mozilla do work to make the situation worse?  The current EV
> validation information in the URL works and is helpful to some users
> (maybe only a small percentage of users, but still...).  Why is mozilla
> interested in spending money making the situation worse.  If mozilla
> doesn't care about the empowerment of their users, the default would be to
> not change anything, not actively making it worse.

Not being Mozilla, I wouldn't presume to speak for them, but two
possibilities leap immediately to mind:

* It costs time and money to maintain the list of trust anchors approved for
  EV treatment -- OID mappings, evaluating EV sections of CP/CPSes, chasing
  audit reports, dealing with incident reports relating to EV validation
  failures, and discussing and evaluating proposed changes to the EVGLs.

* EV-related code in Mozilla software requires maintenance as other changes
  in surrounding code are made.  Less code == ess things to change, so
  gutting the EV support reduces maintenance costs.

> EV certificates do make more assurances about the certificate owner than
> DV certificates.  This is a fact.  This information can be very useful for
> someone that understands what it means.  Probably most users don't
> understand what it means.  But why not improve the display of this
> valuable information instead of hiding it?

Because there is no indication of what an improved EV UI would look like.

I note that you've neglected to answer the question I posed.  If CAs sat
down and did some research into what an actual, useful EV UI would involve,
then Mozilla would have something to work from.  But it would appear that
CAs -- the organisations, I'll reiterate, that benefit financially from the
continued special UI treatment of EV certificates -- are not interested in
making such a contribution.

- Matt

dev-security-policy mailing list

Reply via email to