Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Tom Ritter via dev-security-policy
On Fri, 23 Aug 2019 at 22:53, Daniel Marschall via dev-security-policy wrote: > > Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: > > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > > > Whatever the merits of EV (and perhaps there are some -- I'm not >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Peter Bowen via dev-security-policy
On Thu, Aug 22, 2019 at 1:44 PM kirkhalloregon--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Some have responded there is no research saying EV sites have > significantly less phishing (and are therefore safer) than DV sites – Tim > has listed two studies that say

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Ronald Crane via dev-security-policy
On 8/23/2019 3:53 PM, Daniel Marschall via dev-security-policy wrote: Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: Whatever the merits of EV (and perhaps there are some -- I'm not convinced either way)

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Daniel Marschall via dev-security-policy
Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > Whatever the merits of EV (and perhaps there are some -- I'm not > convinced either way) this data is negligible evidence of them. A DV > cert is

Re: Jurisdiction of incorporation validation issue

2019-08-23 Thread Jakob Bohm via dev-security-policy
[Please note that the way MS Outlook marks quoted text doesn't work well with Mozilla mail programs]. On 23/08/2019 22:37, Jeremy Rowley wrote: >> 1. I believe the BRs and/or underlying technical standards are very >> clear if the ST field should be a full name ("California") or an >>

Re: Jurisdiction of incorporation validation issue

2019-08-23 Thread Ryan Sleevi via dev-security-policy
On Fri, Aug 23, 2019 at 4:37 PM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > >> 1. I believe the BRs and/or underlying technical standards are very >clear if the ST field should be a full name ("California") or an >abbreviation ("CA"). > > This

Re: Jurisdiction of incorporation validation issue

2019-08-23 Thread Ryan Sleevi via dev-security-policy
On Fri, Aug 23, 2019 at 4:18 PM Jeremy Rowley wrote: > > I can think of some incremental steps here: > > > - Disclosing exact detailed procedures via CP/CPS > > > > Maybe an addendum to the CPS. Or RPS. I’ll experiment and post something > to see what the community thinks. > Yup. I've seen

RE: Jurisdiction of incorporation validation issue

2019-08-23 Thread Jeremy Rowley via dev-security-policy
>> 1. I believe the BRs and/or underlying technical standards are very clear if the ST field should be a full name ("California") or an abbreviation ("CA"). This is only true of the EV guidelines and only for Jurisdiction of Incorporation. There is no formatting requirement for place of

RE: Jurisdiction of incorporation validation issue

2019-08-23 Thread Jeremy Rowley via dev-security-policy
>> I'm a little nervous about encouraging wide use of OCR. You may recall at >> least one CA was bit by an issue in which their OCR system misidentified >> letters - https://bugzilla.mozilla.org/show_bug.cgi?id=1311713 >> That's why I was keen to suggest technical solutions which would verify

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread sslcorp.team--- via dev-security-policy
> > Correlation does not imply causation. > > There are studies that show phishing sites tend not to be EV - yes. > That's a correlation. > > If we studied phishing sites and domain name registration fees I'm > sure we'd find a correlation there too - I'd bet the .cfd TLD (which > apparently

Re: Jurisdiction of incorporation validation issue

2019-08-23 Thread Ryan Sleevi via dev-security-policy
On Fri, Aug 23, 2019 at 2:00 PM Jeremy Rowley wrote: > > >- Could you highlight a bit more your proposal here? My understanding >is that, despite the Handelsregister ("Commercial Register") being >available at a country level, it's further subdivided into a list of >couunty or

RE: Jurisdiction of incorporation validation issue

2019-08-23 Thread Jeremy Rowley via dev-security-policy
* Could you highlight a bit more your proposal here? My understanding is that, despite the Handelsregister ("Commercial Register") being available at a country level, it's further subdivided into a list of couunty or region - e.g. the Amtsgericht Herne ("Local Court Herne"). * It

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Ronald Crane via dev-security-policy
On 8/23/2019 6:41 AM, Tom Ritter via dev-security-policy wrote: On Fri, 23 Aug 2019 at 05:00, Leo Grove via dev-security-policy wrote: On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote: On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: I can tell you

Re: Jurisdiction of incorporation validation issue

2019-08-23 Thread Jakob Bohm via dev-security-policy
On 23/08/2019 04:29, Jeremy Rowley wrote: I posted this tonight: https://bugzilla.mozilla.org/show_bug.cgi?id=1576013. It's sort of an extension of the "some-state" issue, but with the incorporation information of an EV cert. The tl;dr of the bug is that sometimes the information isn't

Re: Jurisdiction of incorporation validation issue

2019-08-23 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 22, 2019 at 10:29 PM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I posted this tonight: > https://bugzilla.mozilla.org/show_bug.cgi?id=1576013. It's sort of an > extension of the "some-state" issue, but with the incorporation information >

Re: Auditor letters and incident reports

2019-08-23 Thread clemens.wanko--- via dev-security-policy
Dear all, just a short note on that with regard to auditing and Audit Attestations based upon ETSI: throughout the audit we check the incidents of the current audit period as documented by the CA (have they been addressed at a sufficient level, have the measures taken proven that they are

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Tom Ritter via dev-security-policy
On Fri, 23 Aug 2019 at 05:00, Leo Grove via dev-security-policy wrote: > > On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote: > > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > > I can tell you that anti-phishing services and browser phishing filters