Alaric Dailey wrote:
Eddy Nigg (StartCom Ltd.) wrote:
> But imagine now, that a company received an EV certificate and this
very
> company turns out to be a real crook....
We fully expect crooked companies to get EV certs. All we hope is that
the
EV process prevents them from getting a cert using a name that is not
their
own. EV does not mean "safe".
So tell me, what good does an EV cert do?
It keeps people honest.
That's not a contradiction.
Say I'm an old and mostly-blind professor. I meet you for the very first
time, take you into my house, and leave you in my front room next to an
open suitcase containing $50,000. I then go and have a nap.
Now, imagine the same scenario where, before I go for my nap, my
eagle-eyed assistant photographs you from all angles in high detail,
takes your fingerprints and a DNA sample, and copies down your passport
number.
In which scenario are you more likely to act dishonestly and run off
with the suitcase?
Your trustworthiness hasn't changed - nothing has changed about you.
No-one has attempted to measure your trustworthiness. But in the second
scenario, you are more likely to behave in an honest manner, because the
consequences are different.
EV is like the second scenario. The more we know about the applicant,
the more likely it is that they will behave honestly - or rather,
applicants with dishonest intent won't apply.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
