L. David Baron wrote:
First, that's the wrong question to ask, since unless the draft
explicitly says that it *should* be revoked, a CA is unlikely to do
so for fear of being sued or otherwise accused of violation of
contract by the company they're selling the cert to. If you think
that certificates should be revoked on these grounds, then the
section on revocation should say so explicitly.
Fair enough.
Second, yes, it does. B.2.c says explicitly that: "an EV
certificate is *not* intended to provide any assurances, or
otherwise represent or warrant: (1) [...] (2) That the Subject named
in the EV Certificate complies with applicable laws; (3) That the
Subject named in the EV certificate is trustworthy, honest, or
reputable in its business dealings [...]"
Indeed. But you can be dishonest without misrepresenting your identity.
I believe this is in there to cover the situation where a user tries to
hold a CA responsible because they paid a firm for something over the
web and it turns out that the director took all the money and ran off to
Tahiti.
But I will seek clarification on this point. Thank you for raising it.
Not many, I agree. However, in order to correctly spoof WAMU (at least
in the IE 7 UI) they would need to incorporate their fake company in the
US. And, if they did that, the information gathered during the EV
process could be used to track the applicant down and prosecute them.
I'm skeptical of whether law enforcement authorities care, or
whether victims of phishing care enough to yell at law enforcement
enough so that they care. The last time I tried to interest law
enforcement with investigating computer crime, they didn't. Then
again, that was about 10 years ago.
I suspect things have changed a bit since then; however, you are right,
we cannot be certain that a prosecution will always result.
Criminal prosecution is a very expensive and complex process, and
only works as a disincentive if a high enough percentage of
criminals are prosecuted and convicted. Having simpler incentives
against crime (such as making the crime harder to commit or less
profitable) is vastly preferable when possible.
Indeed. And I hope that EV does make the crime harder to commit by
requiring a lot of information, and less profitable by requiring OCSP.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
