CABF Recommendations (was: On the value of EV)

[Peter Kurrasch]

As the token bad guy in this forum, I can promise you that I will resort to trickery, deception, lies, fraud, and even theft in order to get what I want. It should, perhaps, come as no surprise that those same tactics will surface when applying for an EV cert.

With that in mind, it is in the CA's own best interest to improve the policies and requirements behind EV issuance. ‎The finance industry has regulations generally known as "Know Your Customer" (KYC) that are intended to stave off such things as money laundering, terrorist financing, and such. While not directly applicable to CA's and EV, KYC nonetheless might serve as a model whereby clients are scrutinized before certain actions are permitted by the CA.

For example, it seems indefensible to me that a CA should issue a EV cert to a company that has no prior history and offers only the thinnest of evidence to its legitimacy, as was documented in the original reports. All CA's must do better in that regard. I don't think it's unreasonable for CA's to have a documented, pre-existing relationship with a EV requester prior to the actual EV issuance.

Further, a EV requester must do more than offer its existence but be able to prove its legitimacy as an organization, institution, individual, and so forth. Such a requester should already have a presence on the Internet and, ideally, can demonstrate ‎a level of competency in operating a secure web server. There seems no justification in my mind for a company to go from nonexistent to EV cert holder in 24 hours' time, for instance.

I also would discourage the use of statements such as "EV will prevent phishing attacks" as such claims are misleading. A phishing attack may take many forms, and setting up a fake website is but one of them. Likewise, my reasons for setting up a fake website are many and might have nothing to do with phishing. Instead, I would recommend a more direct approach: "EV certs allow you to associate your company name with your domain names". There is value in that alone.

Again I will state that it's in the best interests of CA's to improve their EV issuing guidelines and practices. While CA's no doubt enjoy charging a premium for EV services there is no reason for browsers or the security community to recognize ‎any service that based on vapor. Indeed, the community seems to be saying right now that the status quo is not acceptable. The time for action is now.

From: Tim Hollebeek via dev-security-policy Sent: Monday, December 11, 2017 1:33 PM‎

Happy to share the details.

We only had about 10 minutes on the agenda, so the discussion hasn’t been too detailed so far (there is still a lot of fallout from CAA that is dominating many validation discussions). There was a general consensus that companies with intentionally misleading names, and companies that are recently created shell companies solely for the purpose of obtaining a certificate should not be able to get an EV certificate.

Exactly what additional validation or rules might help with that problem, while not unnecessarily burdening legitimate businesses will require more time and discussion, which is why if anyone has good ideas, I’d love to hear them.

[Ryan Sleevi]

On Sun, Dec 17, 2017 at 6:38 PM, Peter Kurrasch via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> Again I will state that it's in the best interests of CA's to improve
> their EV issuing guidelines and practices. While CA's no doubt enjoy
> charging a premium for EV services there is no reason for browsers or the
> security community to recognize ‎any service that based on vapor. Indeed,
> the community seems to be saying right now that the status quo is not
> acceptable. The time for action is now.
>

I would disagree with this assertion.

The value of EV for a CA exists in the ability to extract a premium for
that product, and, where possible, to shift liability. The liability shift
(as seen in EMV in Europe vs US banking) hasn't happened - the user isn't
liable for relying on a DV cert vs an EV cert - but that's certainly been a
position some CAs have espoused. However, the financial incentives are such
that it is in a CAs interest to sell to as many customers as possible at a
premium.

The dynamics of certificates are such that those who are most affected
(Relying Parties/users) have the least effective control - certificates are
chosen by sites, not users. Browsers act as proxies for users, by informing
CAs that they will block sites (CA's customers) if CAs do not comply to new
issuance rules (such as deprecating SHA-1). The balance is such that
browsers do so with great care and thought - holding 'users' hostage is
never an ideal outcome, yet at the same time, the collective bargaining
power ("market share") enables individual users to be secured where the
ecosystem might otherwise seek to the bottom.

There's no reason to believe that a removal of EV UI would necessarily
impact this calculus - the existence of and adoption of OV shows CAs can be
quite successful promoting products that do not affect browser treatment.
That's not to say some CAs don't try to promote their products - whether
through public efforts (such as here on m.d.s.p) or through private
lobbying efforts, whether in legislative or regulatory spheres (e.g.
PCI-DSS) - but the market is sufficiently confused and complex enough that
it's difficult to be an informed buyer, and thus easy to be swayed by
marketing.

The value of EV should rest on its technical merits or its empirical data.
We should be willing to be bold and make changes - after all, EV itself was
a grand experiment - but we shouldn't expect EV to start providing value,
no more than we should expect John Frum to save us all.