On Thu, Apr 12, 2018 at 2:28 PM, Alex Gaynor <agay...@mozilla.com> wrote:
> All that proves is the entire EV model cannot possibly accomplish what CAs > claims (with respect to phishing and other similar concerns). To whit: > > - Two companies can validly possess trademarks for the same name in the > United States (and I assume other jurisdictions) > - A CA, or anyone else's ability to tell if the identity collision is > being used maliciously to deceive is totally based on seeing what content > is being served under that name; the reality of trademark law means that > two organizations with the same name is not inherently deceptive > - An actually malicious entity will not broadcast their name collision! > Instead they'd probably have a benign website that normal users see, and at > particular URLs sent to their victims, they'd serve the misleading content. > > In conclusion, revoking stripe.ian.sh while ignoring the broader issues > WRT the limitations of EV's binding of real world corporate identity to > domain control is security theater at its worst. > > Alex > > I do believe that the EV guidelines and program as it exists today need to change. Clearly, the direction I would change it in is ideologically at odds with a majority of active participants who've weighed in to this point. Perhaps EV changes to require a seasoned history? Perhaps EV requires advance publication for scrutiny by the public and current holders? Perhaps EV requires active monitoring of the sites of the active corpus of certs by the issuing CAs? I'd rather see an optional enhanced trust indicator with reasonable guidelines and enforcement than have numerous charlatans manage to get one or more garbage ones incorporated into some moronic regulatory scheme. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
