Hi, I'm merely an interested community member.
I'm writing because I'm aghast that yet another CA has issued a certificate for Stripe, Inc.... of Kentucky. One would think that the various commercial CAs would consider their communal self-interests in today's marketplace. The commercial CA historically has commanded significant valuation as a recurring revenue model in a market with high barriers to entry. Recently, however, economies of scale and new entrants have taken the value of DV-certificates to approximately $0.00 at retail. You'd think a premium product like EV certificates, which must be a significant source of commercial CA revenue would be jealously policed and guarded by CAs. You'd think the various CAs who are all required to read this mailing list would keep up with the controversy around this same business entity and an EV certificate issued and fairly promptly revoked by Comodo. Everytime these matters arise, it raises serious community concerns to the value and appropriateness of browser favoritism afforded EV certificates. Will it survive this time? Who can say. Be we definitely can ask GoDaddy CA why they issued a certificate for the same entity that in quite recent memory sparked controversy on this forum. Thanks, Matt PS - I strongly suggest that any CA interested in preserving EV revenue get with the others and come up with a publish-for-opposition before issuance scheme and mandatory field-of-use monitoring for lifetime of issued certificates for EV or some real enhancement which will confound those would attempt to get these kinds of certificates. This is technically not a mis-issuance, and that's a significant problem for the value case of EV. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
