Certainly, as you noted, one option is to improve EV beyond simply being an assertion of legal existence.
-Tim From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Monday, December 11, 2017 12:46 PM To: Tim Hollebeek <tim.holleb...@digicert.com> Cc: Jonathan Rudenberg <jonat...@titanous.com>; Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: On the value of EV On Mon, Dec 11, 2017 at 2:39 PM, Tim Hollebeek <tim.holleb...@digicert.com <mailto:tim.holleb...@digicert.com> > wrote: Nobody is disputing the fact that these certificates were legitimate given the rules that exist today. However, I don't believe "technically correct, but intentionally misleading" information should be included in certificates. The question is how best to accomplish that. -Tim Note: Jonathan did not mention "intentionally" misleading (instead "properly validated and have correct (but very misleading information) in them". Similarly, I noted that it was providing "accurate-but-misleading". Unless the CA/Browser Forum has determined a way to discern intent (which would be a profound breakthrough in and of itself), we cannot and should not consider intent, and must merely evaluate based on result. As such, the only way to remedy this information is to deny one or more parties the ability to obtain certificates that correctly and accurately reflect their organizational information, which is nominally the value proposition of EV certificates. Unless we're willing to redefine EV certificates as being something other tied to the legal identifier, I don't believe it's fair or beneficial to suggest we can resolve this through validation means. To that end, given the inherent confusion that results from legal identities - and, again, this is a fully valid legal identity being used - I raised the question as to whether or not it should be given the same UI treatment as the unambiguous, fully qualified URL. One option, as noted, is to fully qualify the organization information, if users are to be expected to recognize the nuances of legal identities (and why so many sites seem to be in Delaware and Nevada). However, that seems exceptionally user-hostile and to ignore countless research studies, so another option would be to consider removing the (unqualified) legal identity from the address bar. -----Original Message----- From: Jonathan Rudenberg [mailto:jonat...@titanous.com <mailto:jonat...@titanous.com> ] Sent: Monday, December 11, 2017 12:34 PM To: Tim Hollebeek <tim.holleb...@digicert.com <mailto:tim.holleb...@digicert.com> > Cc: Ryan Sleevi <r...@sleevi.com <mailto:r...@sleevi.com> >; mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: On the value of EV > On Dec 11, 2017, at 14:14, Tim Hollebeek via dev-security-policy > <dev-security-policy@lists.mozilla.org > <mailto:dev-security-policy@lists.mozilla.org> > wrote: > > > It turns out that the CA/Browser Validation working group is currently > looking into how to address these issues, in order to tighten up > validation in these cases. This isn’t a validation issue. Both certificates were properly validated and have correct (but very misleading information) in them. Business entity names are not unique, so it’s not clear how validation changes could address this. I think it makes a lot of sense to get rid of the EV UI, as it can be trivially used to present misleading information to users in the most security-critical browser UI area. My understanding is that the research done to date shows that EV does not help users defend against phishing attacks, it does not influence decision making, and users don’t understand or are confused by EV. Jonathan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
