On Sun, Dec 17, 2017 at 6:38 PM, Peter Kurrasch via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Again I will state that it's in the best interests of CA's to improve
> their EV issuing guidelines and practices. While CA's no doubt enjoy
> charging a premium for EV services there is no reason for browsers or the
> security community to recognize any service that based on vapor. Indeed,
> the community seems to be saying right now that the status quo is not
> acceptable. The time for action is now.
>
I would disagree with this assertion.
The value of EV for a CA exists in the ability to extract a premium for
that product, and, where possible, to shift liability. The liability shift
(as seen in EMV in Europe vs US banking) hasn't happened - the user isn't
liable for relying on a DV cert vs an EV cert - but that's certainly been a
position some CAs have espoused. However, the financial incentives are such
that it is in a CAs interest to sell to as many customers as possible at a
premium.
The dynamics of certificates are such that those who are most affected
(Relying Parties/users) have the least effective control - certificates are
chosen by sites, not users. Browsers act as proxies for users, by informing
CAs that they will block sites (CA's customers) if CAs do not comply to new
issuance rules (such as deprecating SHA-1). The balance is such that
browsers do so with great care and thought - holding 'users' hostage is
never an ideal outcome, yet at the same time, the collective bargaining
power ("market share") enables individual users to be secured where the
ecosystem might otherwise seek to the bottom.
There's no reason to believe that a removal of EV UI would necessarily
impact this calculus - the existence of and adoption of OV shows CAs can be
quite successful promoting products that do not affect browser treatment.
That's not to say some CAs don't try to promote their products - whether
through public efforts (such as here on m.d.s.p) or through private
lobbying efforts, whether in legislative or regulatory spheres (e.g.
PCI-DSS) - but the market is sufficiently confused and complex enough that
it's difficult to be an informed buyer, and thus easy to be swayed by
marketing.
The value of EV should rest on its technical merits or its empirical data.
We should be willing to be bold and make changes - after all, EV itself was
a grand experiment - but we shouldn't expect EV to start providing value,
no more than we should expect John Frum to save us all.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
