On Sat, 4 Nov 2006, Eddy Nigg (StartCom Ltd.) wrote: > It is very common in the CA industry to mark digital certificates in > some form in order to differentiate between various verification > procedures. This is usually done by adding some text to the O or OU > field in the subject line of a certificate. CA's do the marking > voluntarily, because of the lack of a different display mode in > software, except the binary padlock.
How is the user to distinguish when the displayed name is correct? This is a crucial question. Right now we have the problem that the certificate-verified information (the domain name) is chosen by the attacker, and can be chosen to confuse users. A name like "bankofthevvest.com" is confusingly similar to "bankofthewest.com", and a name like "amazon.tv" collides with "amazon.com" unless you are aware of that they belong to different namespaces. This is a common and effective attack tactic. So how can EV certificates and EV certificate UIs avoid confusing users with displayed names that are similar, or the same but registered in different jurisdictions? -- ?!ng _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
