9 PM
> To: Ryan Sleevi <r...@sleevi.com>
> Cc: mozilla-dev-security-policy pol...@lists.mozilla.org>
> Subject: Re: On the value of EV
>
> Thank you Ryan for raising this question, and to everyone who has been
> contributing in a constructive manner to the discussion. A num
On 18/12/2017 21:54, Andrew wrote:
On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote:
Thank you Ryan for raising this question, and to everyone who has been
contributing in a constructive manner to the discussion. A number of
excellent points have been raised on the
On Mon, Dec 18, 2017 at 03:04:11PM -0800, Ian Carroll via dev-security-policy
wrote:
>
> I do wonder how many users actually make the connection that the country code
> next to the company name is in fact a country code.
And even if you do make the connection, it's not always obvious
even in
On Monday, December 18, 2017 at 4:54:24 PM UTC-5, Andrew wrote:
> On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote:
> > Thank you Ryan for raising this question, and to everyone who has been
> > contributing in a constructive manner to the discussion. A number of
> > excellent
On Mon, Dec 18, 2017 at 4:09 PM, Wayne Thayer wrote:
> Thank you Ryan for raising this question, and to everyone who has been
> contributing in a constructive manner to the discussion. A number of
> excellent points have been raised on the effectiveness of EV in general and
On Monday, December 18, 2017 at 3:54:24 PM UTC-6, Andrew wrote:
> On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote:
> > Thank you Ryan for raising this question, and to everyone who has been
> > contributing in a constructive manner to the discussion. A number of
> > excellent
On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote:
> Thank you Ryan for raising this question, and to everyone who has been
> contributing in a constructive manner to the discussion. A number of
> excellent points have been raised on the effectiveness of EV in general and
> on
Thank you Ryan for raising this question, and to everyone who has been
contributing in a constructive manner to the discussion. A number of
excellent points have been raised on the effectiveness of EV in general and
on the practicality of solving the problems that exist with EV.
While we have
My apologies for bringing up an analogy to cars for purposes of explaining,
as it's otherwise opened up an analogical rathole.
The answer to your question about IDNs is probably best for a separate
thread (as it doesn't seem to bear relevance to EV), and your question
about whether it encourages
IDN abuses are far more hostile, to my mind, than EV positive indicators.
At least within certain locales.
Why is IDN even displayed in styled form if the client locale belongs to a
jurisdiction or language for which non-roman characters would be abnormal?
Additionally, many vehicles provide
That is, indeed, a good question.
I've also questioned simultaneously questioning users' reliance on the UI
while suggesting that no user looks to the UI.
If the user does not see or make decisions on the basis of the UI, it seems
leaving it present is no harder a conclusion to arrive at than
On Mon, Dec 18, 2017 at 1:26 PM, Andrew via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote:
> > It also perpetuates the myopic and flawed view as a phishing mitigation,
> > whose reliance is upon users
As I see it, there are essentially two entirely different forms of identity
assurance that TLS certificates are intended to provide:
- To assure the user that the domain name displayed in the address bar is
controlled by the same entity who controls the server they are communicating
with
On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote:
> It also perpetuates the myopic and flawed view as a phishing mitigation,
> whose reliance is upon users checking it (again, user hostile)
Ryan, several times now you've characterized the expectation that users check
that the
On Sun, Dec 17, 2017 at 4:45 PM, Peter Kurrasch via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Second, the actual value in EV as far as I can see is in having that human
> readable name in addition to the domain name. A successful plan of attack
> will need convincing
I think we've finally reached the essence of this debate: if there is a chance a security feature will fail, should we abandon that security feature?When it comes to EV certs and the UI treatments thereof, it
On Fri, Dec 15, 2017 at 02:40:30PM -0800, Matthew Hardeman via
dev-security-policy wrote:
> On Friday, December 15, 2017 at 3:51:48 PM UTC-6, Ryan Sleevi wrote:
> > Yes, we can say correlated variables are correlated.
> > No, we cannot imply or infer from correlated variables that there is a
> >
On Fri, Dec 15, 2017 at 10:30:41PM +, Tim Shirley via dev-security-policy
wrote:
> I’m saying “can” be spoofed is different than “is” being spoofed.
How do you know your bank's EV UI element has never been spoofed? Have you,
every single time you've made an HTTPS request to your bank's
On Friday, December 15, 2017 at 5:39:37 PM UTC-6, Ryan Sleevi wrote:
> That is not what is required. There is no special enrollment dance - that
> is simply straight up misrepresenting it. Your vision is not aligned with
> the reality of it.
I've never been to a banking website where there
On Fri, Dec 15, 2017 at 5:38 PM Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote:
>
> > It also perpetuates the myopic and flawed view as a phishing mitigation,
> > whose reliance is upon
On Friday, December 15, 2017 at 3:51:48 PM UTC-6, Ryan Sleevi wrote:
> Yes, we can say correlated variables are correlated.
> No, we cannot imply or infer from correlated variables that there is a
> causal relationship.
>
There exists a not insignificant school of actuarial thought that there
On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote:
> It also perpetuates the myopic and flawed view as a phishing mitigation,
> whose reliance is upon users checking it (again, user hostile), and
> misleading both users and site operators into EV as a phishing mitigation,
> when
.com>
> *Date: *Friday, December 15, 2017 at 5:05 PM
> *To: *Tim Shirley <tshir...@trustwave.com>
> *Cc: *"r...@sleevi.com" <r...@sleevi.com>, Matthew Hardeman <
> mharde...@gmail.com>, mozilla-dev-security-policy <
> mozilla-dev-security-pol...@lists
t; <r...@sleevi.com>, Matthew Hardeman
<mharde...@gmail.com>, mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: On the value of EV
If the signal can be spoofed, it does not actually help keep you safe.
On Fri, Dec 15, 2017 at 5:21 PM, Tim Shirle
Absolutely.. The lack of EV when I expect it doesn’t automatically mean to me
that something is bad. It just puts me on high alert that something *might* be
wrong. And I have never logged into a bank website from a mobile device, but
my motivations for that go far beyond EV. (
On 12/15/17,
thew Hardeman <
> mharde...@gmail.com>, mozilla-dev-security-policy <
> mozilla-dev-security-pol...@lists.mozilla.org>
> *Subject: *Re: On the value of EV
>
>
>
>
>
>
>
> On Fri, Dec 15, 2017 at 4:50 PM, Tim Shirley <tshir...@trustwave.com>
> w
com>
Cc: "r...@sleevi.com" <r...@sleevi.com>, Matthew Hardeman
<mharde...@gmail.com>, mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: On the value of EV
On Fri, Dec 15, 2017 at 4:50 PM, Tim Shirley
<tshir...@trustwave
On Fri, Dec 15, 2017 at 4:50 PM, Tim Shirley wrote:
> I don’t see how you can argue that the EV “seatbelt” breaks 100% of the
> time. I know my bank uses an EV cert. Any time I come across a site
> claiming to be my bank but lacking an EV cert, and my browser shows me
On Fri, Dec 15, 2017 at 4:26 PM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, December 15, 2017 at 3:08:32 PM UTC-6, Ryan Sleevi wrote:
>
> > Respectfully, this is the tiger-repelling rock. We can't show that any
> > tigers attacked,
On Friday, December 15, 2017 at 3:08:32 PM UTC-6, Ryan Sleevi wrote:
> Respectfully, this is the tiger-repelling rock. We can't show that any
> tigers attacked, therefore, we should keep telling users they need
> tiger-repelling rocks. And oh, by the way, they take away attention from
> solutions
On Friday, December 15, 2017 at 1:50:38 PM UTC-6, Ryan Sleevi wrote:
> I'm not sure I made those statements, but would be happy to clarify the
> confusion. Indeed, as I tried to call out, there are a subset of users who
> are looking at it and relying on it - although it cannot be relied upon -
>
On Fri, Dec 15, 2017 at 2:34 PM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, December 15, 2017 at 8:08:44 AM UTC-6, Ryan Sleevi wrote:
>
> > James’ research has showed the ease at which it is possible to use the UI
> > afforded EV to
On Fri, Dec 15, 2017 at 2:34 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 15/12/2017 02:30, Ryan Sleevi wrote:
> > Some participants have pointed out correlation is not causation - that
> you
> > can’t infer that never being attacked by a tiger while
On Fri, Dec 15, 2017 at 08:34:37AM +0100, Jakob Bohm via dev-security-policy
wrote:
> YOU in particularly have kept insisting that it is a "myth" that
> phishing sites don't use EV certificates, yet keep pointing to articles
> about non-EV failures.
As the Wikipedians say, "Citation Needed". I
On Thu, 14 Dec 2017 16:33:29 -0800 (PST)
Matthew Hardeman via dev-security-policy
wrote:
> That attack was by hacking the target's domain registrar account.
> Others have done that as well, including against a Brazilian bank.
>
> The right attacker would
On 15/12/17 00:18, Matthew Hardeman via dev-security-policy wrote:
On Thursday, December 14, 2017 at 5:50:40 PM UTC-6, Matthew Hardeman wrote:
Route hijacking your way to what would appear as a proper domain validation is
practical for even a modestly resourceful adversary. I suspect that
On 15/12/2017 02:30, Ryan Sleevi wrote:
On Thu, Dec 14, 2017 at 5:01 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 14/12/2017 00:23, Peter Gutmann wrote:
Tim Shirley via dev-security-policy <
dev-security-policy@lists.mozilla.org> writes:
But
On Thu, Dec 14, 2017 at 5:01 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 14/12/2017 00:23, Peter Gutmann wrote:
> > Tim Shirley via dev-security-policy <
> dev-security-policy@lists.mozilla.org> writes:
> >
> >> But regardless of which (or neither)
That attack was by hacking the target's domain registrar account. Others have
done that as well, including against a Brazilian bank.
The right attacker would not even need that - they could just hijack traffic
headed to the IP address of the real DNS server in question.
On Thursday, December 14, 2017 at 5:50:40 PM UTC-6, Matthew Hardeman wrote:
> Route hijacking your way to what would appear as a proper domain validation
> is practical for even a modestly resourceful adversary. I suspect that the
> only reason more spectacular demonstration of certs issuing
On Wednesday, December 13, 2017 at 2:46:10 PM UTC-6, Gervase Markham wrote:
> My concern with this argument is that it's susceptible to the criticism
> that Adam Langley made of revocation checking:
> https://www.imperialviolet.org/2012/02/05/crlsets.html
>
> "So [EV identity is] like a
On 14/12/2017 00:23, Peter Gutmann wrote:
Tim Shirley via dev-security-policy
writes:
But regardless of which (or neither) is true, the very fact that EV certs are
rarely (never?) used on phishing sites
There's no need:
On 13/12/2017 22:40, Matthew Hardeman wrote:
On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote:
Yes. This is the foundation and limit of Web Security.
https://en.wikipedia.org/wiki/Same-origin_policy
This is what is programatically enforced. Anything else either requires
On 13/12/2017 20:55, Gervase Markham wrote:
On 11/12/17 17:00, Ryan Sleevi wrote:
Fundamentally, I think this is misleading. It presumes that, upon
something bad happening, someone can link it back to that certificate
to link it back to that identity. If I was phished, and entered my
On 14/12/2017 17:51, Peter Bachman wrote:
@Jakob I was referring to the classical namespaces which have evolved since the
1980s. The NSF pilot project was based on a now obsolete version of X.500,
Quipu, that world rooted with participating county directories. While I
managed that part of
@Ryan
“Since improving it as a technical means is an effective non-starter (e.g.
introducing a new origin for only EV certs), the only fallback is to the
cognitive means”
EV is a convenient signal. I like it. The problem is the infrastructure that
pits the Internet and it’s protocols with
@Jakob I was referring to the classical namespaces which have evolved since the
1980s. The NSF pilot project was based on a now obsolete version of X.500,
Quipu, that world rooted with participating county directories. While I
managed that part of the capital D Directory it was in the context
; Gervase Markham
> <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org; Tim
> Shirley <tshir...@trustwave.com>
> Subject: Re: On the value of EV
>
> On 14/12/17 00:25, Tim Hollebeek via dev-security-policy wrote:
> > If you look at where the HTTPS phi
On 14/12/17 00:25, Tim Hollebeek via dev-security-policy wrote:
If you look at where the HTTPS phishing certificates come from, they come
almost entirely from Let's Encrypt and Comodo.
This is perhaps the best argument in favor of distinguishing between CAs
that care about phishing and those
On Wednesday, December 13, 2017 at 11:09:44 PM UTC-6, Matt Palmer wrote:
>
> Before that, though, a quick word from our sponsor, Elephant-Be-Gone Amulets
> of America, Inc. No elephants in America, you say? See, they're 100%
> effective! Get yours today!
Of relevance on this point, I'm quite
On Thu, Dec 14, 2017 at 12:21:12AM +, Tim Hollebeek via dev-security-policy
wrote:
> If you look at the phishing data feeds and correlate them with EV
> certificates,
> you'll find out that Tim's "speculation" is right.
Ladies and gentlemen, this evening, for your viewing pleasure, the
3, 2017 2:41 PM
> > To: mozilla-dev-security-pol...@lists.mozilla.org
> > Subject: Re: On the value of EV
> >
> > On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote:
> >
> > > Yes. This is the foundation and limit of Web Security.
&
ay, December 13, 2017 2:41 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: On the value of EV
>
> On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote:
>
> > Yes. This is the foundation and limit of Web Security.
> >
ts.mozilla.org; Tim Shirley <tshir...@trustwave.com>
> Subject: Re: On the value of EV
>
> Tim Shirley via dev-security-policy
<dev-security-policy@lists.mozilla.org>
> writes:
>
> >But regardless of which (or neither) is true, the very fact that EV
> >cer
-security-policy-
> bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of Tim
> Shirley via dev-security-policy
> Sent: Wednesday, December 13, 2017 3:35 PM
> To: r...@sleevi.com
> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham
> <g...@mozilla.o
On Wed, Dec 13, 2017 at 6:23 PM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> > I realize I'm doing a poor job at articulating the profound risks,
> perhaps
> > because they're best not for e-mail discussions, but these problems are
> not
> > unique
On Wednesday, December 13, 2017 at 5:08:05 PM UTC-6, Matt Palmer wrote:
> > There is a "curatorship", if you will, engaged by the site author. If
> > there are sub-resources loaded in, whether they are EV or not, it is the
> > root page author's place to "take responsibility" for the contents of
Tim Shirley via dev-security-policy
writes:
>But regardless of which (or neither) is true, the very fact that EV certs are
>rarely (never?) used on phishing sites
There's no need:
On Wed, Dec 13, 2017 at 01:40:35PM -0800, Matthew Hardeman via
dev-security-policy wrote:
> I'm not sure we need namespace separation for EV versus non-EV subresouces.
>
> The cause for this is simple:
>
> It is the main page resource at the root of the document which causes each
> sub-resource
*"r...@sleevi.com" <r...@sleevi.com>
> *Date: *Wednesday, December 13, 2017 at 5:03 PM
> *To: *Tim Shirley <tshir...@trustwave.com>
> *Cc: *Gervase Markham <g...@mozilla.org>, "mozilla-dev-security-policy@
> lists.mozilla.org" <mozilla-dev-security-
On Wed, Dec 13, 2017 at 05:58:38PM +, Tim Shirley via dev-security-policy
wrote:
> So many of the arguments made here, such as this one, as well as the
> recent demonstrations that helped start this thread, focus on edge cases.
> And while those are certainly valuable to consider, they
Reply-To: "r...@sleevi.com" <r...@sleevi.com>
Date: Wednesday, December 13, 2017 at 5:03 PM
To: Tim Shirley <tshir...@trustwave.com>
Cc: Gervase Markham <g...@mozilla.org>,
"mozilla-dev-security-pol...@lists.mozilla.org"
<mozilla-dev-security-pol...@lis
On Wed, Dec 13, 2017 at 5:19 PM, Tim Hollebeek via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> There are also the really cool hash-based revocation ideas that actually
> do help
> even against active attackers on the same network. I really wish those
> ideas got
> more
; bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of Tim
> Shirley via dev-security-policy
> Sent: Wednesday, December 13, 2017 2:47 PM
> To: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-
> pol...@lists.mozilla.org
> Subject: Re: On the value of EV
>
>
On Wed, Dec 13, 2017 at 4:46 PM, Tim Shirley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> As I understand it, Adam’s argument there was that to get value out of a
> revoked certificate, you need to be between the user and the web server so
> you can direct the traffic
On Wed, Dec 13, 2017 at 4:40 PM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote:
>
> > Yes. This is the foundation and limit of Web Security.
> >
> >
On 13/12/2017 14:50, Tim Shirley wrote:
I guess I’m also having a hard time appreciating how the presence of this
information is a “cost” to users who don’t care about it. For one thing, it’s
been there for years in all major browsers, so everyone has at least been
conditioned to its
As I understand it, Adam’s argument there was that to get value out of a
revoked certificate, you need to be between the user and the web server so you
can direct the traffic to your web server, so you’re already in position to
also block revocation checks. I don’t think that maps here because
On Wed, Dec 13, 2017 at 4:28 PM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Wednesday, December 13, 2017 at 2:46:10 PM UTC-6, Gervase Markham wrote:
>
> > My concern with this argument is that it's susceptible to the criticism
> > that Adam
On Tuesday, December 12, 2017 at 3:52:40 PM UTC-6, Ryan Sleevi wrote:
> Yes. This is the foundation and limit of Web Security.
>
> https://en.wikipedia.org/wiki/Same-origin_policy
>
> This is what is programatically enforced. Anything else either requires new
> technology to technically enforce
On Wed, Dec 13, 2017 at 4:14 PM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Monday, December 11, 2017 at 6:01:25 PM UTC-6, Ryan Sleevi wrote:
>
> > > Not really - what matters is that the user insists they got had via a
> > > phishing link or
On Wednesday, December 13, 2017 at 2:46:10 PM UTC-6, Gervase Markham wrote:
> My concern with this argument is that it's susceptible to the criticism
> that Adam Langley made of revocation checking:
> https://www.imperialviolet.org/2012/02/05/crlsets.html
>
> "So [EV identity is] like a
On Wed, Dec 13, 2017 at 3:50 PM, Tim Shirley wrote:
> I’m not looking for a guarantee. Nothing is ever going to meet that
> standard. What I’m looking for is something that’s going to improve my
> odds. What I see in Ian’s and James’s research is some ways that it’s
>
On Monday, December 11, 2017 at 6:01:25 PM UTC-6, Ryan Sleevi wrote:
> > Not really - what matters is that the user insists they got had via a
> > phishing link or other process - that can certainly be verified after the
> > fact
>
>
> No.
Why's that? This is how investigations begin.
>
> -
" <r...@sleevi.com>, Nick Lamb <n...@tlrmx.org>,
"dev-security-policy@lists.mozilla.org"
<dev-security-policy@lists.mozilla.org>, Jakob Bohm <jb-mozi...@wisemo.com>
Subject: Re: On the value of EV
Right, but both Ian and James' research show that it's an unreliable gu
On 13/12/17 11:58, Tim Shirley wrote:
> So many of the arguments made here, such as this one, as well as the recent
> demonstrations that helped start this thread, focus on edge cases. And while
> those are certainly valuable to consider, they obscure the fact that “Green
> Bar” adds value in
On 11/12/17 17:00, Ryan Sleevi wrote:
> Fundamentally, I think this is misleading. It presumes that, upon
> something bad happening, someone can link it back to that certificate
> to link it back to that identity. If I was phished, and entered my
> credentials, there's no reason to believe I've
m Shirley <tshir...@trustwave.com>
> *Cc: *Nick Lamb <n...@tlrmx.org>, "dev-security-policy@lists.mozilla.org" <
> dev-security-policy@lists.mozilla.org>, Jakob Bohm <jb-mozi...@wisemo.com>
> *Subject: *Re: On the value of EV
>
>
>
>
>
>
>
> On
e: Wednesday, December 13, 2017 at 1:18 PM
To: Tim Shirley <tshir...@trustwave.com>
Cc: Nick Lamb <n...@tlrmx.org>, "dev-security-policy@lists.mozilla.org"
<dev-security-policy@lists.mozilla.org>, Jakob Bohm <jb-mozi...@wisemo.com>
Subject: Re: On the value of EV
On Wed, Dec 13, 2017 at 1:19 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> I would be sorely disappointed
Prepare to be sorely disappointed
> and consider it a security bug
It is not a bug. It is not part of the security boundary of the Web, thus
On 13/12/2017 18:38, Nick Lamb wrote:
On Wed, 13 Dec 2017 12:29:40 +0100
Jakob Bohm via dev-security-policy
wrote:
What is *programmatically* enforced is too little for human safety.
believing that computers can replace human judgement is a big mistake.
On Wed, Dec 13, 2017 at 12:58 PM, Tim Shirley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> As an employee of a CA, I’m sure many here will dismiss my point of view
> as self-serving. But when I am making trust decisions on the internet, I
> absolutely rely on both
So many of the arguments made here, such as this one, as well as the recent
demonstrations that helped start this thread, focus on edge cases. And while
those are certainly valuable to consider, they obscure the fact that “Green
Bar” adds value in the mainstream use cases. If we were talking
I have been trying very hard to engage at the substance, but you keep
misunderstanding my statements and then answering that strawman.
So lets reiterate:
- I do not suggest assigning *liability* to the user.
- I do suggest *helping the user* make informed decisions of the kind
that humans
On Wed, 13 Dec 2017 12:29:40 +0100
Jakob Bohm via dev-security-policy
wrote:
> What is *programmatically* enforced is too little for human safety.
> believing that computers can replace human judgement is a big mistake.
> Most of the world knows this.
On Wed, Dec 13, 2017 at 6:29 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> > Yes. This is the foundation and limit of Web Security.
> >
> > https://en.wikipedia.org/wiki/Same-origin_policy
> >
> > This is what is programatically enforced. Anything else
On 12/12/2017 22:51, Ryan Sleevi wrote:
On Tue, Dec 12, 2017 at 3:44 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
What you are writing below, with far too many words is that you think
that URLs are the only identities that matter in this world, and
On 12/12/2017 12:21 AM, Hanno Böck via dev-security-policy wrote:
> Hi,
>
> On Mon, 11 Dec 2017 11:01:10 -0800 (PST)
> Ryan Sleevi via dev-security-policy
> wrote:
>
>> I suppose this is both a question for policy and for Mozilla - given
>> the ability to
On Tue, Dec 12, 2017 at 3:44 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> What you are writing below, with far too many words is that you think
> that URLs are the only identities that matter in this world, and
> therefore DV certificates are enough
Would it be reasonable to have some sort of global database where the company
names and other identifiers that can be displayed in UI will be stored
including
some sort of contact data?
In the validation process for EV the CA could then be required to contact the
companies with similar names
On 12/12/2017 20:04, Ryan Sleevi wrote:
On Tue, Dec 12, 2017 at 1:11 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
The overall thing is that the current thread seems to be a major case of
throwing the baby out with the bathwater.
That is overly
On Tue, Dec 12, 2017 at 1:11 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> The overall thing is that the current thread seems to be a major case of
> throwing the baby out with the bathwater.
>
That is overly reductive and may demonstrate a lack of
On 12/12/2017 18:31, Jonathan Rudenberg wrote:
On Dec 12, 2017, at 08:36, Jakob Bohm via dev-security-policy
wrote:
A lot of people have posed suggestions for countermeasures so extreme
they should not be taken seriously. This includes discontinuing
On 12/12/2017 18:19, Ryan Sleevi wrote:
On Tue, Dec 12, 2017 at 8:36 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 12/12/2017 01:08, Adam Caudill wrote:
Even if it is, someone filed the paperwork. Court houses have clerks,
guards, video cameras,
> On Dec 12, 2017, at 08:36, Jakob Bohm via dev-security-policy
> wrote:
>
> A lot of people have posed suggestions for countermeasures so extreme
> they should not be taken seriously. This includes discontinuing EV,
I don’t think that removing the EV
On Tue, Dec 12, 2017 at 8:36 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 12/12/2017 01:08, Adam Caudill wrote:
>
>> Even if it is, someone filed the paperwork. Court houses have clerks,
> guards, video cameras, etc... It still may present a
On Mon, 11 Dec 2017 19:08:43 -0500
Adam Caudill via dev-security-policy
wrote:
> I can say from my own experience, in some states in the US, it's a
> trivial matter to create a company online, with no validation of
> identity or other information. It takes
...@lists.mozilla.org
Subject: Re: On the value of EV
On 12/12/2017 01:08, Adam Caudill wrote:
>>>> Even if it is, someone filed the paperwork. Court houses have
>>>> clerks, guards, video cameras, etc... It still may present a real
>>>> physical
On 12/12/2017 01:08, Adam Caudill wrote:
Even if it is, someone filed the paperwork. Court houses have clerks,
guards, video cameras, etc... It still may present a real physical
point
from which to bootstrap an investigation.
Court houses also have online systems. I think if you read both
I recently talked about [1] some of the many problems I see with EV
certificates on my blog but looking at the tangible security benefits of EV
they can already be matched, or will soon be matched, by DV certificates.
Certificate Transparency will be required [2] for all certificates and not
1 - 100 of 135 matches
Mail list logo