On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote: > Yes, I work for a CA that issues EV certificates, but if there was no value > in them, then our customers would certainly not be paying extra for them. > Shouldn’t the large enterprises that see a value in identity (as does > GlobalSign) drive the need for ending EV certificates? With Google and > Mozilla being prominent Lets Encrypt sponsors we know their intent is to > drive business to them vs. any of the commercially respectable CAs. It’s > actually counter productive to security to sponsor a CA that issues so many > certificates to phishing and malware sites without any consequences. Is this > to increase the value of their malware site detection services? Maybe.. > > * https://www.usenix.org/system/files/soups2019-drury.pdf > * > https://cabforum.org/wp-content/uploads/23.-Update-on-London-Protocol.pdf > > > > Baffled…
I'm baffled that anyone who has worked for a corporation could, in good faith, wonder how executives could be hoodwinked by "security" people telling them they need EV certificates, and then going to their low-level tech grunts and demanding implementation regardless of value. I have been involved in multiple such discussions, and it's always the same. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
