On Mon, Dec 11, 2017 at 2:31 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> (Reposting as I accidentally replied directly to OP ). > > Part of this discussion will necessarily have to include who the intended > and potential beneficiaries of EV certificate status are: > > 1. Is it the common web end user? If so, EV either needs to go or be > massively changed. > 2. Is it for the kind of person who could properly investigate corporate > documents and structure AND would have some benefit in knowing that a given > website is asserted by cryptographic signature to be affiliated to a given > real world entity? If so, few changes are needed but several could be > helpful. > Agreed that these are potential goals, which is why I tried to provide a specific and narrow set of questions, so that we can avoid ratholing on those. Specifically, I was asking about 1, as that is what comes from the UI treatment. A conclusion of 2 implies the UI should go. > 1. Requirement in objective/mostly objective terms of notoriety of > client. High note-worthiness of EV applicant would be required. > Validation procedures would modify to ensure that the commonly held "note > worthy" entity is actually the one applying. > Naturally, this falls apart at "Internet scale" > 2. Stability of entity records. The corporate structure is known and has > been unchanged, perhaps for a year or more. Effectively, no EV for > startups or any new or restructured entity that can't show lengthly and > broad claim to the name. > This seems to create a bifurcated Internet which is not "open and accessible" (per Item 2 on the Mozilla Manifesto). Namely, if it favors or empowers incumbents, and the only ability to be trusted by users is to 'sit around' so you have a stable corporate identity, then we're not creating a neutral, open platform. > If EV status is intended for business, asset management, and legal > professionals, then it's easier. Add mandatory validated parameters for > official registry from which the data was referenced (ex: Alabama Secretary > of State, Corporations Division) as well as originally filed for > registration (ex: State of AL, County of Jefferson Probate Court). Give > the docket or document numbers or entity registration number as appropriate > for each of these. Attempt to construe a scope of exclusivity and indicate > that in lieu of just Country in the green bar. > The EV guidelines already encompass this information - the jurisdiction fields, combined with the serialNumber, which is the unique identifying number for that entity within the jurisdictional registry, which is unique per jurisdictional boundary. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
