These so called "extended" validation vetting checks on companies for extended validation certificates are supposed to provide the consumer on the website with an high level of assurance that the company has been properly validated but the fact is that these so called "extended" validation vetting checks are nothing more than basic checks. The Disclosure and Barring Service (DBS) in the United Kingdom conducts more vetting checks on an individual applying for an basic DBS check than CAs do for an so called "extended" validation certificates for companies.
I serious doubts over the methods used by CAs to conduct these so called "extended" validation vetting checks. This is from personal experience of going through dozens of dozens of validation checks of all types of certificates with different CAs. These so called "extended" validation certificates should be removed forthwith because it is not performing the intended job it was supposed to be made for and given that these so called "extended" validation certificates are nothing more than basic checks it is in a way falsely advertising to consumers on these websites that uses these so called "extended" validation certificates that they have been validated to an "extended" level of vetting which they have not. Burton On Thu, Aug 29, 2019 at 8:17 PM Ryan Sleevi via dev-security-policy <[email protected]> wrote: > > On Thu, Aug 29, 2019 at 2:49 PM Kirk Hall via dev-security-policy < > [email protected]> wrote: > > > Sure, I’m happy to explain, using Bank of America as an example. > > > Kirk, > > Thanks for providing this example. Could you help me understand how it > helps determine that things are safe? For example, the reputation system > you described, which is more akin to code signing than what is generally > practiced an anti-phishing, seems like if it was implemented, it would > leave users at significant risk from compromise on EV sites. That is, if an > EV-using site was compromised and displayed a phishing form, the fact that > it had "good" reputation would actually be actively harmful to users > security, because it would make it harder to provide timely responsiveness. > That is, it would be a false negative. > > In this case, the use of EV certificates, and the presumption of > reputation, would lead to actively worse security. > > Did I misunderstand the scenario? > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
