On Thu, Apr 12, 2018 at 1:03 PM, Wayne Thayer <wtha...@mozilla.com> wrote:
> On Thu, Apr 12, 2018 at 9:45 AM, Ryan Sleevi <r...@sleevi.com> wrote: > >> >> In what way is it misleading though? It fully identified the organization >> that exists, which is a legitimate organization. Thus, the information that >> appears within the certificate itself is not misleading - and I don't think >> 4.9.1.1 applies. >> >> I would refer you to your email, kicking off the 150+ message thread on > this topic back in December, that included these statements: > > "...and more importantly, how easy it is to obtain certificates that may > confuse or mislead users" > "given the ability to provide accurate-but-misleading information in EV > certificates,..." > > https://groups.google.com/d/msg/mozilla.dev.security.policy/szD2KBHfwl8/ > kWLDMfPhBgAJ > Ryan is allowed to change his mind on whether this should be considered misleading. But either way, I do not believe either was misleading. Ian's intent may have been to demonstrate EV's weaknesses, but that doesn't mean Ian was intending to deceive users. If Ian had used this to try to get people to enter their Stripe credentials or something, then that'd be one thing. But registering an LLC and then creating a cert for it is a legitimate activity. If Ian shouldn't have been allowed to register this business, then that's something the state/country he registered the business in should express through laws or adjudication of the registration. The rules and criteria for those processes are established in many countries through a process at least nominally responsive to public values. As it is, this effectively censors Ian's website where he is making a statement about how EV works and how it interacts with trademark/registration laws, through his own registered business. That statement is -- and I'm being serious -- being oppressed, based on a capricious decision by a CA. Ian is now not able to maintain this public demonstration on the internet in any browser (including Chrome, since it's EV), despite having committed no crimes, not having engaged in any malicious behavior, and not harmed any users. That's not the kind of outcome I understand to be consistent with Mozilla's values and commitment to an open web. I'm fine being told that it's not fair to come down on any one CA right now, since it's happened a few times and many folks have considered this normal. But I don't think this is something Mozilla should continue to consider as normal business practices. -- Eric -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
