Gervase Markham wrote:
I agree that it's possible that a loophole may be found; however, we have mechanisms in place to update the standard when and if it is.
Will happen. Just a matter of time.
(I can't envisage a scenario where fraudsters are regularly getting hold of EV certs and no-one notices; by the very nature of fraud, someone will notice.)
Calling them fraudsters makes them sound unsophisticated. I can certainly envision criminals regularly exploiting EV certs. That is the status quo with normal certs, and it doesn't seem to bother the CAs much.
So I don't think the possibility of future problems should prevent us from going ahead; after all, someone could break SSL tomorrow, but we still use it for now.
I think it should stop us from covering our UI in green bars and locks that are trivial to spoof in content. We know users aren't very good at distinguishing chrome from content in the first place, and even my bank site looks like a scam--it's got some corny lock gif right there next to the form.
I think it's safe to say you're not going to convince me. I do hope we treat this initiative with a little more skepticism as we explore it further, and it bothers me that I don't see an incentive for the CAs to prevent EV certs from becoming as much of a joke as normal certs. I wonder if I can pay cash for those at 7-11.
-Rob _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
