On 11/12/17 17:00, Ryan Sleevi wrote: > Fundamentally, I think this is misleading. It presumes that, upon > something bad happening, someone can link it back to that certificate > to link it back to that identity. If I was phished, and entered my > credentials, there's no reason to believe I've maintained the record > details including the phishing link to know I was phished. Are users > supposed to spleunk their HTTP cache or maintain complete archives of > every link they visited, such that they can get the cert back from it > to aid an investigation?
This is something that has always worried me about the EV value proposition. Even if it worked perfectly, once one has realised one has been scammed, one would want to find the cert again to know where to serve the lawsuit papers or send the police. Unless your browser caches all EV certs for sites you've ever visited in the past month, and provides some UI for querying that cache, then that's not necessarily going to be possible. So having the info about the site owner in the cert isn't actually useful. CT does address this to a degree, but only to a degree. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
