On Fri, Aug 30, 2019 at 12:06 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> This is super easy, and doesn't even require you to do any work, like > contacting Google Safe Browsing and asking them to participate in this > conversation. > > Here's the question, and all I'm asking you to do is answer "Yes," "No," > or "I Don't Know" > > **Based on your personal knowledge, does Google Safe Browsing use any EV > certificate Subject information in its anti-phishing algorithms?** That is indeed the question I was asking you, and I hope you can answer. Will you answer it? To recall, since you've shifted the conversation rather substantially, and thus perhaps forgotten the original question, which you've repeatedly avoided: - You made a definitive claim this information is used by one or more parties, and described how it was used. - I asked for details, to understand how they address the obvious issues with using it like this. If you have personal knowledge that GSB uses it like you described, it's reasonable to ask to report back as to how those issues are addressed, from whoever you obtained this knowledge from. If you do not have personal knowledge that GSB uses it like you described, then continuing to discuss GSB is not useful for this discussion. I had thought the question originally asked, of your bold claim, was simple. I'm not sure why you've focused on trying to find out new information, rather than simply sharing more information about what you presented. It would be very useful information to everyone on this list if you would share any sort of information about what you described. Since you made it clear you knew of some organizations using this, it seemed reasonable that you could ask them how they address this, without having to reveal who they are. After all, if they're comfortable with you sharing that they do this, surely they'd have no problem with you sharing, anonymously, how they solve it. Thanks for your cooperation. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
