This is useful feedback. Thanks. -Tim
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+tim.hollebeek=digicert....@lists.mozilla.org] On Behalf Of Jakob Bohm via dev-security-policy Sent: Tuesday, December 12, 2017 6:36 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: On the value of EV On 12/12/2017 01:08, Adam Caudill wrote: >>>> Even if it is, someone filed the paperwork. Court houses have >>>> clerks, guards, video cameras, etc... It still may present a real >>>> physical > point >>>> from which to bootstrap an investigation. >>> >>> Court houses also have online systems. I think if you read both Ian >>> and > James' work, you'll see the issues they're raising address this > hypothetical. >> >> I shall certainly read their work closely on that matter. In my > experience, these generally don't allow filings for new businesses > from those not previously known to the court/registrar in real life. > > I can say from my own experience, in some states in the US, it's a > trivial matter to create a company online, with no validation of > identity or other information. It takes about 10 minutes, and you'll > have all the paperwork the next day. When I did this (in a state I had > never done business in before), there was absolutely no identity > checks, no identity documents, nothing at all that would tie the > business to me if I had lied. Creating a business with no connection > to the people behind it is a very, very simple thing to do. > A lot of people have posed suggestions for countermeasures so extreme they should not be taken seriously. This includes discontinuing EV, requiring that companies cannot get EV certs during their first year of existence, or suggesting that only "famous" companies can get EV certificates. Here is a more reasonable suggestion: 1. In the Fx UI, display the actual jurisdictionOfIncorporation instead of just the country, especially where those differ (For example Kentucky versus all-of-US). 2. Add a rule that if there is a big national or international company with a name, other companies cannot get certificates for the same name in related jurisdictions. For example if there is a company listed on NYSE or NASDAQ, no similarly named US company can get an EV or OV certificate for that name. Ditto for a reasonable list of national registries in each country. CAs should be required to publicly state which "big-status" lists beat local company/organization registrations in each country, and similar for any special lists of major global organizations, such as Google or The Red Cross. 3. Minimum (not maximum) standards for such things need to be published by the CAB/F. 4. Note that stock exchanges should not be the only list of "nationally significant companies", as that would exclude a lot of companies with different ownership structures, such as Mozilla Inc. or the pre-IPO Google. However the list criteria should be clear and not rely too heavily on the subjective experience of vetting agents etc. 5. It is worth noting that some countries do use a national company registry which ensures uniqueness directly. Denmark is one such country (though the uniqueness checking is probably limited to exact matches). 6. It should still be possible for local branches and franchise holders to get EV certificates, if the bigger company approves as part of the vetting process. For example Google Canada should be able to get a 3rd party EV certificate if the international headquarters of Alphabet approves it. Formulating this into formal rules, and selecting appropriate per-country and global lists of name-dominating organizations will both take some time and should be done in parallel. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://clicktime.symantec.com/a/1/ysoeSRBosKMv2y51HEgmye3dC3w01KcfPIlE7uDFUrg=?d=Mj2xApkajNC6NUPymFNEfV5jUyRoXYatn3xbe_lByhtvBUca3QjCjyhaIGmwyP7KNNQYWgpsKuZ5UOpqhOXzkWfEx5Q49kKdvaVDsMmrCXF1qDZ308yVoUNOuj54O3Hcywy1MV6DDNORzSB1HLrHF6H4QPXWkHwn7zC1NE61drhv701Lv9vqhPlAgM3UqEBFdvuv8SQ3rAqKRLMZUCKH8HfwOw28xg6GQL8K2m34lqKD3AUGpC1hiH0XNtxgaOpoPrF7Tu2pv69E3yNM79rVTdB_ikacGGQ4RVtUCJlxLfFvstZDs2dP2RsXHlH9ZMtvch7bZjuDDWCQPuDdT4VSw0VZEr_7jNECLrlf7haoNdtxbcv7-SfpfFBGmpS5unFU92yRHdgylNVBg3B8Dlui4NX4P3j2WjucbZw23st8fxV8vw%3D%3D&u=https%3A%2F%2Fwww.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://clicktime.symantec.com/a/1/FhPk-7MdjrPtV9JspPoItqTDwr9vvNbq9QibW0Sl0co=?d=Mj2xApkajNC6NUPymFNEfV5jUyRoXYatn3xbe_lByhtvBUca3QjCjyhaIGmwyP7KNNQYWgpsKuZ5UOpqhOXzkWfEx5Q49kKdvaVDsMmrCXF1qDZ308yVoUNOuj54O3Hcywy1MV6DDNORzSB1HLrHF6H4QPXWkHwn7zC1NE61drhv701Lv9vqhPlAgM3UqEBFdvuv8SQ3rAqKRLMZUCKH8HfwOw28xg6GQL8K2m34lqKD3AUGpC1hiH0XNtxgaOpoPrF7Tu2pv69E3yNM79rVTdB_ikacGGQ4RVtUCJlxLfFvstZDs2dP2RsXHlH9ZMtvch7bZjuDDWCQPuDdT4VSw0VZEr_7jNECLrlf7haoNdtxbcv7-SfpfFBGmpS5unFU92yRHdgylNVBg3B8Dlui4NX4P3j2WjucbZw23st8fxV8vw%3D%3D&u=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
