On Tuesday, October 8, 2019 at 10:36:19 PM UTC-5, Matt Palmer wrote:
> On Tue, Oct 08, 2019 at 07:16:59PM -0700, Paul Walsh via dev-security-policy 
> wrote:
> > Why isn’t anyone’s head blowing up over the Let’s Encrypt stats?
> Because those stats don't show anything worth blowing up ones head over.  I
> don't see anything in them that indicates that those 14,000 certificates --
> or even one certificate, for that matter --was issued without validating
> control over the domain name(s) indicated in the certificates.

Validation compliance is not the topic of this thread. Stripe Inc was able to 
get their EV certificate in a compliant way after all. It sounds like since 14k 
DV certs were issued to phishing sites in a compliant way, everything is a-ok?

What are your thoughts if those 14k certs were EV? 

> EV and DV serve different purposes, and while DV is more-or-less solving the
> problem it sets out to solve, the credible evidence presented shows that EV
> does not solve any problem that browsers are interested in.
> > If people think “EV is broken” they must think DV is stuck in hell with
> > broken legs.
> Alternately, people realise that EV and DV serve different purposes through
> different methods, and thus cannot be compared in the trivial and flippant
> way you suggest.
> - Matt

You've mentioned "EV and DV serve different purposes" twice and I think that is 
misleading. EV requires DV validation as well, and they both serve to 
authenticate and encrypt. However, EV goes beyond authenticating only the 
domain name which is where DV stops. EV attempts to bind the domain name to an 
actual owner. 

People deploying EV expect to get DV and something more. When the browsers stop 
displaying the EV UI, it will be indistinguishable from DV on cursory glance. 
To me, this shows EV and DV serve similar purposes, but EV attempts to go 
further in the context of authentication.

dev-security-policy mailing list

Reply via email to