On 12/12/2017 01:08, Adam Caudill wrote:
Even if it is, someone filed the paperwork. Court houses have clerks,
guards, video cameras, etc... It still may present a real physical
point
from which to bootstrap an investigation.
Court houses also have online systems. I think if you read both Ian and
James' work, you'll see the issues they're raising address this
hypothetical.
I shall certainly read their work closely on that matter. In my
experience, these generally don't allow filings for new businesses from
those not previously known to the court/registrar in real life.
I can say from my own experience, in some states in the US, it's a trivial
matter to create a company online, with no validation of identity or other
information. It takes about 10 minutes, and you'll have all the paperwork
the next day. When I did this (in a state I had never done business in
before), there was absolutely no identity checks, no identity documents,
nothing at all that would tie the business to me if I had lied. Creating a
business with no connection to the people behind it is a very, very simple
thing to do.
A lot of people have posed suggestions for countermeasures so extreme
they should not be taken seriously. This includes discontinuing EV,
requiring that companies cannot get EV certs during their first year of
existence, or suggesting that only "famous" companies can get EV
certificates.
Here is a more reasonable suggestion:
1. In the Fx UI, display the actual jurisdictionOfIncorporation instead
of just the country, especially where those differ (For example
Kentucky versus all-of-US).
2. Add a rule that if there is a big national or international company
with a name, other companies cannot get certificates for the same
name in related jurisdictions. For example if there is a company
listed on NYSE or NASDAQ, no similarly named US company can get an
EV or OV certificate for that name. Ditto for a reasonable list of
national registries in each country. CAs should be required to
publicly state which "big-status" lists beat local
company/organization registrations in each country, and similar for
any special lists of major global organizations, such as Google or
The Red Cross.
3. Minimum (not maximum) standards for such things need to be published
by the CAB/F.
4. Note that stock exchanges should not be the only list of "nationally
significant companies", as that would exclude a lot of companies with
different ownership structures, such as Mozilla Inc. or the pre-IPO
Google. However the list criteria should be clear and not rely
too heavily on the subjective experience of vetting agents etc.
5. It is worth noting that some countries do use a national company
registry which ensures uniqueness directly. Denmark is one such
country (though the uniqueness checking is probably limited to exact
matches).
6. It should still be possible for local branches and franchise holders
to get EV certificates, if the bigger company approves as part of the
vetting process. For example Google Canada should be able to get a
3rd party EV certificate if the international headquarters of Alphabet
approves it.
Formulating this into formal rules, and selecting appropriate
per-country and global lists of name-dominating organizations will both
take some time and should be done in parallel.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
