Ka-Ping Yee wrote:
So how can EV certificates and EV certificate UIs avoid confusing users with displayed names that are similar, or the same but registered in different jurisdictions?
Eddy's suggestion which prompted your question did not relate to EV. However, I will answer the question anyway. The IE UI, at any rate, shows the jurisdiction (country).
I would note in this connection that phishing is a crime (it's deception and fraud). If someone gets an EV cert with misleading information in (say they set up a real company called Bank Of The VVest) and use it for phishing, then the information gathered as part of the EV process can be used to track them down and convict them.
If they are spoofing the real Bank of the West, then their company has to be US-based, otherwise the jurisdiction indicator will say something else and the spoof will not be complete. And even if they aren't US-based, it doesn't matter; local law enforcement can deal with them.
The point of EV is not that it's impossible for someone to get one and commit fraud. The point is that if they do, you know enough about them that you can arrest them and prosecute them. The guidelines have been opened for review so people can see if they will result in a sufficient level of validation that either a) the information is correct, or b) the fraudster needs to spend a disproportionate amount of time, money and effort faking, spoofing or subverting all of the different data sources used - such that they won't bother.
We are seeking comments on whether they achieve this goal. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
