RE: On the value of EV

9 PM > To: Ryan Sleevi <r...@sleevi.com> > Cc: mozilla-dev-security-policy pol...@lists.mozilla.org> > Subject: Re: On the value of EV > > Thank you Ryan for raising this question, and to everyone who has been > contributing in a constructive manner to the discussion. A num

Re: On the value of EV

On 18/12/2017 21:54, Andrew wrote: On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote: Thank you Ryan for raising this question, and to everyone who has been contributing in a constructive manner to the discussion. A number of excellent points have been raised on the

Re: On the value of EV

On Mon, Dec 18, 2017 at 03:04:11PM -0800, Ian Carroll via dev-security-policy wrote: > > I do wonder how many users actually make the connection that the country code > next to the company name is in fact a country code. And even if you do make the connection, it's not always obvious even in

Re: On the value of EV

On Monday, December 18, 2017 at 4:54:24 PM UTC-5, Andrew wrote: > On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote: > > Thank you Ryan for raising this question, and to everyone who has been > > contributing in a constructive manner to the discussion. A number of > > excellent

Re: On the value of EV

On Mon, Dec 18, 2017 at 4:09 PM, Wayne Thayer wrote: > Thank you Ryan for raising this question, and to everyone who has been > contributing in a constructive manner to the discussion. A number of > excellent points have been raised on the effectiveness of EV in general and

Re: On the value of EV

On Monday, December 18, 2017 at 3:54:24 PM UTC-6, Andrew wrote: > On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote: > > Thank you Ryan for raising this question, and to everyone who has been > > contributing in a constructive manner to the discussion. A number of > > excellent

Re: On the value of EV

On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote: > Thank you Ryan for raising this question, and to everyone who has been > contributing in a constructive manner to the discussion. A number of > excellent points have been raised on the effectiveness of EV in general and > on

Re: On the value of EV

Thank you Ryan for raising this question, and to everyone who has been contributing in a constructive manner to the discussion. A number of excellent points have been raised on the effectiveness of EV in general and on the practicality of solving the problems that exist with EV. While we have

Re: On the value of EV

My apologies for bringing up an analogy to cars for purposes of explaining, as it's otherwise opened up an analogical rathole. The answer to your question about IDNs is probably best for a separate thread (as it doesn't seem to bear relevance to EV), and your question about whether it encourages

Re: On the value of EV

IDN abuses are far more hostile, to my mind, than EV positive indicators. At least within certain locales. Why is IDN even displayed in styled form if the client locale belongs to a jurisdiction or language for which non-roman characters would be abnormal? Additionally, many vehicles provide

Re: On the value of EV

That is, indeed, a good question. I've also questioned simultaneously questioning users' reliance on the UI while suggesting that no user looks to the UI. If the user does not see or make decisions on the basis of the UI, it seems leaving it present is no harder a conclusion to arrive at than

Re: On the value of EV

On Mon, Dec 18, 2017 at 1:26 PM, Andrew via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote: > > It also perpetuates the myopic and flawed view as a phishing mitigation, > > whose reliance is upon users

Re: On the value of EV

As I see it, there are essentially two entirely different forms of identity assurance that TLS certificates are intended to provide: - To assure the user that the domain name displayed in the address bar is controlled by the same entity who controls the server they are communicating with

Re: On the value of EV

On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote: > It also perpetuates the myopic and flawed view as a phishing mitigation, > whose reliance is upon users checking it (again, user hostile) Ryan, several times now you've characterized the expectation that users check that the

Re: On the value of EV

On Sun, Dec 17, 2017 at 4:45 PM, Peter Kurrasch via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Second, the actual value in EV as far as I can see is in having that human > readable name in addition to the domain name. A successful plan of attack > will need convincing

Re: On the value of EV

I think we've finally reached the essence of this debate: if there is a chance a security feature will fail, should we abandon that security feature?When it comes to EV certs and the UI treatments thereof, it

Re: On the value of EV

On Fri, Dec 15, 2017 at 02:40:30PM -0800, Matthew Hardeman via dev-security-policy wrote: > On Friday, December 15, 2017 at 3:51:48 PM UTC-6, Ryan Sleevi wrote: > > Yes, we can say correlated variables are correlated. > > No, we cannot imply or infer from correlated variables that there is a > >

Re: On the value of EV

On Fri, Dec 15, 2017 at 10:30:41PM +, Tim Shirley via dev-security-policy wrote: > I’m saying “can” be spoofed is different than “is” being spoofed. How do you know your bank's EV UI element has never been spoofed? Have you, every single time you've made an HTTPS request to your bank's

Re: On the value of EV

On Friday, December 15, 2017 at 5:39:37 PM UTC-6, Ryan Sleevi wrote: > That is not what is required. There is no special enrollment dance - that > is simply straight up misrepresenting it. Your vision is not aligned with > the reality of it. I've never been to a banking website where there

Re: On the value of EV

On Fri, Dec 15, 2017 at 5:38 PM Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote: > > > It also perpetuates the myopic and flawed view as a phishing mitigation, > > whose reliance is upon

Re: On the value of EV

On Friday, December 15, 2017 at 3:51:48 PM UTC-6, Ryan Sleevi wrote: > Yes, we can say correlated variables are correlated. > No, we cannot imply or infer from correlated variables that there is a > causal relationship. > There exists a not insignificant school of actuarial thought that there

Re: On the value of EV

On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote: > It also perpetuates the myopic and flawed view as a phishing mitigation, > whose reliance is upon users checking it (again, user hostile), and > misleading both users and site operators into EV as a phishing mitigation, > when

Re: On the value of EV

.com> > *Date: *Friday, December 15, 2017 at 5:05 PM > *To: *Tim Shirley <tshir...@trustwave.com> > *Cc: *"r...@sleevi.com" <r...@sleevi.com>, Matthew Hardeman < > mharde...@gmail.com>, mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists

Re: On the value of EV

t; <r...@sleevi.com>, Matthew Hardeman <mharde...@gmail.com>, mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: On the value of EV If the signal can be spoofed, it does not actually help keep you safe. On Fri, Dec 15, 2017 at 5:21 PM, Tim Shirle

Re: On the value of EV

Absolutely.. The lack of EV when I expect it doesn’t automatically mean to me that something is bad. It just puts me on high alert that something *might* be wrong. And I have never logged into a bank website from a mobile device, but my motivations for that go far beyond EV. ( On 12/15/17,

Re: On the value of EV

thew Hardeman < > mharde...@gmail.com>, mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > *Subject: *Re: On the value of EV > > > > > > > > On Fri, Dec 15, 2017 at 4:50 PM, Tim Shirley <tshir...@trustwave.com> > w

Re: On the value of EV

com> Cc: "r...@sleevi.com" <r...@sleevi.com>, Matthew Hardeman <mharde...@gmail.com>, mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: On the value of EV On Fri, Dec 15, 2017 at 4:50 PM, Tim Shirley <tshir...@trustwave

Re: On the value of EV

On Fri, Dec 15, 2017 at 4:50 PM, Tim Shirley wrote: > I don’t see how you can argue that the EV “seatbelt” breaks 100% of the > time. I know my bank uses an EV cert. Any time I come across a site > claiming to be my bank but lacking an EV cert, and my browser shows me

Re: On the value of EV

On Fri, Dec 15, 2017 at 4:26 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, December 15, 2017 at 3:08:32 PM UTC-6, Ryan Sleevi wrote: > > > Respectfully, this is the tiger-repelling rock. We can't show that any > > tigers attacked,

Re: On the value of EV

On Friday, December 15, 2017 at 3:08:32 PM UTC-6, Ryan Sleevi wrote: > Respectfully, this is the tiger-repelling rock. We can't show that any > tigers attacked, therefore, we should keep telling users they need > tiger-repelling rocks. And oh, by the way, they take away attention from > solutions

Re: On the value of EV

On Friday, December 15, 2017 at 1:50:38 PM UTC-6, Ryan Sleevi wrote: > I'm not sure I made those statements, but would be happy to clarify the > confusion. Indeed, as I tried to call out, there are a subset of users who > are looking at it and relying on it - although it cannot be relied upon - >

Re: On the value of EV

On Fri, Dec 15, 2017 at 2:34 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, December 15, 2017 at 8:08:44 AM UTC-6, Ryan Sleevi wrote: > > > James’ research has showed the ease at which it is possible to use the UI > > afforded EV to

Re: On the value of EV

On Fri, Dec 15, 2017 at 2:34 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 15/12/2017 02:30, Ryan Sleevi wrote: > > Some participants have pointed out correlation is not causation - that > you > > can’t infer that never being attacked by a tiger while

Re: On the value of EV

On Fri, Dec 15, 2017 at 08:34:37AM +0100, Jakob Bohm via dev-security-policy wrote: > YOU in particularly have kept insisting that it is a "myth" that > phishing sites don't use EV certificates, yet keep pointing to articles > about non-EV failures. As the Wikipedians say, "Citation Needed". I

Re: On the value of EV

On Thu, 14 Dec 2017 16:33:29 -0800 (PST) Matthew Hardeman via dev-security-policy wrote: > That attack was by hacking the target's domain registrar account. > Others have done that as well, including against a Brazilian bank. > > The right attacker would

Fox-IT hack (was Re: On the value of EV)

On 15/12/17 00:18, Matthew Hardeman via dev-security-policy wrote: On Thursday, December 14, 2017 at 5:50:40 PM UTC-6, Matthew Hardeman wrote: Route hijacking your way to what would appear as a proper domain validation is practical for even a modestly resourceful adversary. I suspect that

Re: On the value of EV

On 15/12/2017 02:30, Ryan Sleevi wrote: On Thu, Dec 14, 2017 at 5:01 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 14/12/2017 00:23, Peter Gutmann wrote: Tim Shirley via dev-security-policy < dev-security-policy@lists.mozilla.org> writes: But

Re: On the value of EV

On Thu, Dec 14, 2017 at 5:01 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 14/12/2017 00:23, Peter Gutmann wrote: > > Tim Shirley via dev-security-policy < > dev-security-policy@lists.mozilla.org> writes: > > > >> But regardless of which (or neither)

Re: On the value of EV

That attack was by hacking the target's domain registrar account. Others have done that as well, including against a Brazilian bank. The right attacker would not even need that - they could just hijack traffic headed to the IP address of the real DNS server in question.

Re: On the value of EV

On Thursday, December 14, 2017 at 5:50:40 PM UTC-6, Matthew Hardeman wrote: > Route hijacking your way to what would appear as a proper domain validation > is practical for even a modestly resourceful adversary. I suspect that the > only reason more spectacular demonstration of certs issuing

Re: On the value of EV

On Wednesday, December 13, 2017 at 2:46:10 PM UTC-6, Gervase Markham wrote: > My concern with this argument is that it's susceptible to the criticism > that Adam Langley made of revocation checking: > https://www.imperialviolet.org/2012/02/05/crlsets.html > > "So [EV identity is] like a

Re: On the value of EV

On 14/12/2017 00:23, Peter Gutmann wrote: Tim Shirley via dev-security-policy writes: But regardless of which (or neither) is true, the very fact that EV certs are rarely (never?) used on phishing sites There's no need:

Re: On the value of EV

On 13/12/2017 22:40, Matthew Hardeman wrote: On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote: Yes. This is the foundation and limit of Web Security. https://en.wikipedia.org/wiki/Same-origin_policy This is what is programatically enforced. Anything else either requires

Re: On the value of EV

On 13/12/2017 20:55, Gervase Markham wrote: On 11/12/17 17:00, Ryan Sleevi wrote: Fundamentally, I think this is misleading. It presumes that, upon something bad happening, someone can link it back to that certificate to link it back to that identity. If I was phished, and entered my

Re: On the value of EV

On 14/12/2017 17:51, Peter Bachman wrote: @Jakob I was referring to the classical namespaces which have evolved since the 1980s. The NSF pilot project was based on a now obsolete version of X.500, Quipu, that world rooted with participating county directories. While I managed that part of

Re: On the value of EV

@Ryan “Since improving it as a technical means is an effective non-starter (e.g. introducing a new origin for only EV certs), the only fallback is to the cognitive means” EV is a convenient signal. I like it. The problem is the infrastructure that pits the Internet and it’s protocols with

Re: On the value of EV

@Jakob I was referring to the classical namespaces which have evolved since the 1980s. The NSF pilot project was based on a now obsolete version of X.500, Quipu, that world rooted with participating county directories. While I managed that part of the capital D Directory it was in the context

RE: On the value of EV

; Gervase Markham > <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org; Tim > Shirley <tshir...@trustwave.com> > Subject: Re: On the value of EV > > On 14/12/17 00:25, Tim Hollebeek via dev-security-policy wrote: > > If you look at where the HTTPS phi

Re: On the value of EV

On 14/12/17 00:25, Tim Hollebeek via dev-security-policy wrote: If you look at where the HTTPS phishing certificates come from, they come almost entirely from Let's Encrypt and Comodo. This is perhaps the best argument in favor of distinguishing between CAs that care about phishing and those

Re: On the value of EV

On Wednesday, December 13, 2017 at 11:09:44 PM UTC-6, Matt Palmer wrote: > > Before that, though, a quick word from our sponsor, Elephant-Be-Gone Amulets > of America, Inc. No elephants in America, you say? See, they're 100% > effective! Get yours today! Of relevance on this point, I'm quite

Re: On the value of EV

On Thu, Dec 14, 2017 at 12:21:12AM +, Tim Hollebeek via dev-security-policy wrote: > If you look at the phishing data feeds and correlate them with EV > certificates, > you'll find out that Tim's "speculation" is right. Ladies and gentlemen, this evening, for your viewing pleasure, the

Re: On the value of EV

3, 2017 2:41 PM > > To: mozilla-dev-security-pol...@lists.mozilla.org > > Subject: Re: On the value of EV > > > > On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote: > > > > > Yes. This is the foundation and limit of Web Security. &

RE: On the value of EV

ay, December 13, 2017 2:41 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: On the value of EV > > On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote: > > > Yes. This is the foundation and limit of Web Security. > >

RE: On the value of EV

ts.mozilla.org; Tim Shirley <tshir...@trustwave.com> > Subject: Re: On the value of EV > > Tim Shirley via dev-security-policy <dev-security-policy@lists.mozilla.org> > writes: > > >But regardless of which (or neither) is true, the very fact that EV > >cer

RE: On the value of EV

-security-policy- > bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of Tim > Shirley via dev-security-policy > Sent: Wednesday, December 13, 2017 3:35 PM > To: r...@sleevi.com > Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham > <g...@mozilla.o

Re: On the value of EV

On Wed, Dec 13, 2017 at 6:23 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I realize I'm doing a poor job at articulating the profound risks, > perhaps > > because they're best not for e-mail discussions, but these problems are > not > > unique

Re: On the value of EV

On Wednesday, December 13, 2017 at 5:08:05 PM UTC-6, Matt Palmer wrote: > > There is a "curatorship", if you will, engaged by the site author. If > > there are sub-resources loaded in, whether they are EV or not, it is the > > root page author's place to "take responsibility" for the contents of

Re: On the value of EV

Tim Shirley via dev-security-policy writes: >But regardless of which (or neither) is true, the very fact that EV certs are >rarely (never?) used on phishing sites There's no need:

Re: On the value of EV

On Wed, Dec 13, 2017 at 01:40:35PM -0800, Matthew Hardeman via dev-security-policy wrote: > I'm not sure we need namespace separation for EV versus non-EV subresouces. > > The cause for this is simple: > > It is the main page resource at the root of the document which causes each > sub-resource

Re: On the value of EV

*"r...@sleevi.com" <r...@sleevi.com> > *Date: *Wednesday, December 13, 2017 at 5:03 PM > *To: *Tim Shirley <tshir...@trustwave.com> > *Cc: *Gervase Markham <g...@mozilla.org>, "mozilla-dev-security-policy@ > lists.mozilla.org" <mozilla-dev-security-

Re: On the value of EV

On Wed, Dec 13, 2017 at 05:58:38PM +, Tim Shirley via dev-security-policy wrote: > So many of the arguments made here, such as this one, as well as the > recent demonstrations that helped start this thread, focus on edge cases. > And while those are certainly valuable to consider, they

Re: On the value of EV

Reply-To: "r...@sleevi.com" <r...@sleevi.com> Date: Wednesday, December 13, 2017 at 5:03 PM To: Tim Shirley <tshir...@trustwave.com> Cc: Gervase Markham <g...@mozilla.org>, "mozilla-dev-security-pol...@lists.mozilla.org" <mozilla-dev-security-pol...@lis

Re: On the value of EV

On Wed, Dec 13, 2017 at 5:19 PM, Tim Hollebeek via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > There are also the really cool hash-based revocation ideas that actually > do help > even against active attackers on the same network. I really wish those > ideas got > more

RE: On the value of EV

; bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of Tim > Shirley via dev-security-policy > Sent: Wednesday, December 13, 2017 2:47 PM > To: Gervase Markham <g...@mozilla.org>; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: On the value of EV > >

Re: On the value of EV

On Wed, Dec 13, 2017 at 4:46 PM, Tim Shirley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As I understand it, Adam’s argument there was that to get value out of a > revoked certificate, you need to be between the user and the web server so > you can direct the traffic

Re: On the value of EV

On Wed, Dec 13, 2017 at 4:40 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote: > > > Yes. This is the foundation and limit of Web Security. > > > >

Re: On the value of EV

On 13/12/2017 14:50, Tim Shirley wrote: I guess I’m also having a hard time appreciating how the presence of this information is a “cost” to users who don’t care about it. For one thing, it’s been there for years in all major browsers, so everyone has at least been conditioned to its

Re: On the value of EV

As I understand it, Adam’s argument there was that to get value out of a revoked certificate, you need to be between the user and the web server so you can direct the traffic to your web server, so you’re already in position to also block revocation checks. I don’t think that maps here because

Re: On the value of EV

On Wed, Dec 13, 2017 at 4:28 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wednesday, December 13, 2017 at 2:46:10 PM UTC-6, Gervase Markham wrote: > > > My concern with this argument is that it's susceptible to the criticism > > that Adam

Re: On the value of EV

On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote: > Yes. This is the foundation and limit of Web Security. > > https://en.wikipedia.org/wiki/Same-origin_policy > > This is what is programatically enforced. Anything else either requires new > technology to technically enforce

Re: On the value of EV

On Wed, Dec 13, 2017 at 4:14 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Monday, December 11, 2017 at 6:01:25 PM UTC-6, Ryan Sleevi wrote: > > > > Not really - what matters is that the user insists they got had via a > > > phishing link or

Re: On the value of EV

On Wednesday, December 13, 2017 at 2:46:10 PM UTC-6, Gervase Markham wrote: > My concern with this argument is that it's susceptible to the criticism > that Adam Langley made of revocation checking: > https://www.imperialviolet.org/2012/02/05/crlsets.html > > "So [EV identity is] like a

Re: On the value of EV

On Wed, Dec 13, 2017 at 3:50 PM, Tim Shirley wrote: > I’m not looking for a guarantee. Nothing is ever going to meet that > standard. What I’m looking for is something that’s going to improve my > odds. What I see in Ian’s and James’s research is some ways that it’s >

Re: On the value of EV

On Monday, December 11, 2017 at 6:01:25 PM UTC-6, Ryan Sleevi wrote: > > Not really - what matters is that the user insists they got had via a > > phishing link or other process - that can certainly be verified after the > > fact > > > No. Why's that? This is how investigations begin. > > -

Re: On the value of EV

" <r...@sleevi.com>, Nick Lamb <n...@tlrmx.org>, "dev-security-policy@lists.mozilla.org" <dev-security-policy@lists.mozilla.org>, Jakob Bohm <jb-mozi...@wisemo.com> Subject: Re: On the value of EV Right, but both Ian and James' research show that it's an unreliable gu

Re: On the value of EV

On 13/12/17 11:58, Tim Shirley wrote: > So many of the arguments made here, such as this one, as well as the recent > demonstrations that helped start this thread, focus on edge cases. And while > those are certainly valuable to consider, they obscure the fact that “Green > Bar” adds value in

Re: On the value of EV

On 11/12/17 17:00, Ryan Sleevi wrote: > Fundamentally, I think this is misleading. It presumes that, upon > something bad happening, someone can link it back to that certificate > to link it back to that identity. If I was phished, and entered my > credentials, there's no reason to believe I've

Re: On the value of EV

m Shirley <tshir...@trustwave.com> > *Cc: *Nick Lamb <n...@tlrmx.org>, "dev-security-policy@lists.mozilla.org" < > dev-security-policy@lists.mozilla.org>, Jakob Bohm <jb-mozi...@wisemo.com> > *Subject: *Re: On the value of EV > > > > > > > > On

Re: On the value of EV

e: Wednesday, December 13, 2017 at 1:18 PM To: Tim Shirley <tshir...@trustwave.com> Cc: Nick Lamb <n...@tlrmx.org>, "dev-security-policy@lists.mozilla.org" <dev-security-policy@lists.mozilla.org>, Jakob Bohm <jb-mozi...@wisemo.com> Subject: Re: On the value of EV

Re: On the value of EV

On Wed, Dec 13, 2017 at 1:19 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I would be sorely disappointed Prepare to be sorely disappointed > and consider it a security bug It is not a bug. It is not part of the security boundary of the Web, thus

Re: On the value of EV

On 13/12/2017 18:38, Nick Lamb wrote: On Wed, 13 Dec 2017 12:29:40 +0100 Jakob Bohm via dev-security-policy wrote: What is *programmatically* enforced is too little for human safety. believing that computers can replace human judgement is a big mistake.

Re: On the value of EV

On Wed, Dec 13, 2017 at 12:58 PM, Tim Shirley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As an employee of a CA, I’m sure many here will dismiss my point of view > as self-serving. But when I am making trust decisions on the internet, I > absolutely rely on both

Re: On the value of EV

So many of the arguments made here, such as this one, as well as the recent demonstrations that helped start this thread, focus on edge cases. And while those are certainly valuable to consider, they obscure the fact that “Green Bar” adds value in the mainstream use cases. If we were talking

Re: On the value of EV

I have been trying very hard to engage at the substance, but you keep misunderstanding my statements and then answering that strawman. So lets reiterate: - I do not suggest assigning *liability* to the user. - I do suggest *helping the user* make informed decisions of the kind that humans

Re: On the value of EV

On Wed, 13 Dec 2017 12:29:40 +0100 Jakob Bohm via dev-security-policy wrote: > What is *programmatically* enforced is too little for human safety. > believing that computers can replace human judgement is a big mistake. > Most of the world knows this.

Re: On the value of EV

On Wed, Dec 13, 2017 at 6:29 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > Yes. This is the foundation and limit of Web Security. > > > > https://en.wikipedia.org/wiki/Same-origin_policy > > > > This is what is programatically enforced. Anything else

Re: On the value of EV

On 12/12/2017 22:51, Ryan Sleevi wrote: On Tue, Dec 12, 2017 at 3:44 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: What you are writing below, with far too many words is that you think that URLs are the only identities that matter in this world, and

Re: On the value of EV

On 12/12/2017 12:21 AM, Hanno Böck via dev-security-policy wrote: > Hi, > > On Mon, 11 Dec 2017 11:01:10 -0800 (PST) > Ryan Sleevi via dev-security-policy > wrote: > >> I suppose this is both a question for policy and for Mozilla - given >> the ability to

Re: On the value of EV

On Tue, Dec 12, 2017 at 3:44 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > What you are writing below, with far too many words is that you think > that URLs are the only identities that matter in this world, and > therefore DV certificates are enough

Re: On the value of EV

Would it be reasonable to have some sort of global database where the company names and other identifiers that can be displayed in UI will be stored including some sort of contact data? In the validation process for EV the CA could then be required to contact the companies with similar names

Re: On the value of EV

On 12/12/2017 20:04, Ryan Sleevi wrote: On Tue, Dec 12, 2017 at 1:11 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: The overall thing is that the current thread seems to be a major case of throwing the baby out with the bathwater. That is overly

Re: On the value of EV

On Tue, Dec 12, 2017 at 1:11 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > The overall thing is that the current thread seems to be a major case of > throwing the baby out with the bathwater. > That is overly reductive and may demonstrate a lack of

Re: On the value of EV

On 12/12/2017 18:31, Jonathan Rudenberg wrote: On Dec 12, 2017, at 08:36, Jakob Bohm via dev-security-policy wrote: A lot of people have posed suggestions for countermeasures so extreme they should not be taken seriously. This includes discontinuing

Re: On the value of EV

On 12/12/2017 18:19, Ryan Sleevi wrote: On Tue, Dec 12, 2017 at 8:36 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 12/12/2017 01:08, Adam Caudill wrote: Even if it is, someone filed the paperwork. Court houses have clerks, guards, video cameras,

Re: On the value of EV

> On Dec 12, 2017, at 08:36, Jakob Bohm via dev-security-policy > wrote: > > A lot of people have posed suggestions for countermeasures so extreme > they should not be taken seriously. This includes discontinuing EV, I don’t think that removing the EV

Re: On the value of EV

On Tue, Dec 12, 2017 at 8:36 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 12/12/2017 01:08, Adam Caudill wrote: > >> Even if it is, someone filed the paperwork. Court houses have clerks, > guards, video cameras, etc... It still may present a

Re: On the value of EV

On Mon, 11 Dec 2017 19:08:43 -0500 Adam Caudill via dev-security-policy wrote: > I can say from my own experience, in some states in the US, it's a > trivial matter to create a company online, with no validation of > identity or other information. It takes

RE: On the value of EV

...@lists.mozilla.org Subject: Re: On the value of EV On 12/12/2017 01:08, Adam Caudill wrote: >>>> Even if it is, someone filed the paperwork. Court houses have >>>> clerks, guards, video cameras, etc... It still may present a real >>>> physical

Re: On the value of EV

On 12/12/2017 01:08, Adam Caudill wrote: Even if it is, someone filed the paperwork. Court houses have clerks, guards, video cameras, etc... It still may present a real physical point from which to bootstrap an investigation. Court houses also have online systems. I think if you read both

Re: On the value of EV

I recently talked about [1] some of the many problems I see with EV certificates on my blog but looking at the tangible security benefits of EV they can already be matched, or will soon be matched, by DV certificates. Certificate Transparency will be required [2] for all certificates and not

  1   2   >