On Monday 2006-11-06 14:57 +0000, Gervase Markham wrote: > L. David Baron wrote: > >On Wednesday 2006-11-01 22:54 +0000, Gervase Markham wrote: > >>The guidelines have been developed via a very long and drawn-out > >>process, including several face-to-face meetings with competing > >>specifications from different groups of CAs over the past two years. > >>Eventually and quite recently, a Microsoft employee synthesised a > >>unified specification, which has now been made available for public > >>comment. The latest draft of this document can be found here: > >>http://www.cabforum.org/EV_Certificate_Guidelines_-_Draft_10-2...pdf > > > >After skimming some parts of the draft, my biggest concern here is > >the tension between B.2.a.1 and B.2.c.3, and its implications on > >when certificates would be revoked. > > > >In particular, I think misrepresentation of identity within a Web > >site that uses an EV cert must be grounds for revocation. > > I agree; does any part of the draft say otherwise?
First, that's the wrong question to ask, since unless the draft explicitly says that it *should* be revoked, a CA is unlikely to do so for fear of being sued or otherwise accused of violation of contract by the company they're selling the cert to. If you think that certificates should be revoked on these grounds, then the section on revocation should say so explicitly. Second, yes, it does. B.2.c says explicitly that: "an EV certificate is *not* intended to provide any assurances, or otherwise represent or warrant: (1) [...] (2) That the Subject named in the EV Certificate complies with applicable laws; (3) That the Subject named in the EV certificate is trustworthy, honest, or reputable in its business dealings [...]" > Not many, I agree. However, in order to correctly spoof WAMU (at least > in the IE 7 UI) they would need to incorporate their fake company in the > US. And, if they did that, the information gathered during the EV > process could be used to track the applicant down and prosecute them. I'm skeptical of whether law enforcement authorities care, or whether victims of phishing care enough to yell at law enforcement enough so that they care. The last time I tried to interest law enforcement with investigating computer crime, they didn't. Then again, that was about 10 years ago. Criminal prosecution is a very expensive and complex process, and only works as a disincentive if a high enough percentage of criminals are prosecuted and convicted. Having simpler incentives against crime (such as making the crime harder to commit or less profitable) is vastly preferable when possible. -David -- L. David Baron <URL: http://dbaron.org/ > Technical Lead, Layout & CSS, Mozilla Corporation
pgp1SbFmzfWY8.pgp
Description: PGP signature
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
