Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

1175 views
Skip to first unread message

Matthew Hardeman

unread,
Apr 11, 2018, 1:51:59 PM4/11/18
to mozilla-dev-s...@lists.mozilla.org
Hi,

I'm merely an interested community member.

I'm writing because I'm aghast that yet another CA has issued a certificate for Stripe, Inc.... of Kentucky.

One would think that the various commercial CAs would consider their communal self-interests in today's marketplace.

The commercial CA historically has commanded significant valuation as a recurring revenue model in a market with high barriers to entry.

Recently, however, economies of scale and new entrants have taken the value of DV-certificates to approximately $0.00 at retail.

You'd think a premium product like EV certificates, which must be a significant source of commercial CA revenue would be jealously policed and guarded by CAs.

You'd think the various CAs who are all required to read this mailing list would keep up with the controversy around this same business entity and an EV certificate issued and fairly promptly revoked by Comodo.

Everytime these matters arise, it raises serious community concerns to the value and appropriateness of browser favoritism afforded EV certificates.

Will it survive this time? Who can say.

Be we definitely can ask GoDaddy CA why they issued a certificate for the same entity that in quite recent memory sparked controversy on this forum.

Thanks,

Matt

PS - I strongly suggest that any CA interested in preserving EV revenue get with the others and come up with a publish-for-opposition before issuance scheme and mandatory field-of-use monitoring for lifetime of issued certificates for EV or some real enhancement which will confound those would attempt to get these kinds of certificates. This is technically not a mis-issuance, and that's a significant problem for the value case of EV.

Ian Carroll

unread,
Apr 11, 2018, 2:01:17 PM4/11/18
to mozilla-dev-s...@lists.mozilla.org
> an EV certificate issued and fairly promptly revoked by Comodo.


Just to clarify, Comodo revoked it at least four months after it was issued (https://crt.sh/?id=273634647). It was not "promptly" revoked.

Ryan Sleevi

unread,
Apr 11, 2018, 2:19:03 PM4/11/18
to Matthew Hardeman, mozilla-dev-security-policy
On Wed, Apr 11, 2018 at 1:51 PM, Matthew Hardeman via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> Hi,
>
> I'm merely an interested community member.
>
> I'm writing because I'm aghast that yet another CA has issued a
> certificate for Stripe, Inc.... of Kentucky.
>

It fully complies with all stated expectations of the EV Guidelines, the
information is fully accurate, and it does not appear to be fraudulent or
misleading in that.

Could you clarify what you're aghast at?

Matthew Hardeman

unread,
Apr 11, 2018, 2:49:06 PM4/11/18
to mozilla-dev-s...@lists.mozilla.org
Additionally, I think it's fair to say that I'm aghast that another CA (who by their inclusion in the Mozilla root program has agreed to stay abreast of developments on this list) has issued for the exact same entity and name that already led to significant controversy covered on this list less than a year ago.

I believe that speaks to inattention to the list or failure to incorporate lessons learned from controversies on this list into issuance and/or validation practice.

Jonathan Rudenberg

unread,
Apr 11, 2018, 3:23:53 PM4/11/18
to Matthew Hardeman, mozilla-dev-s...@lists.mozilla.org
On Wed, Apr 11, 2018, at 14:48, Matthew Hardeman via dev-security-policy wrote:
> Additionally, I think it's fair to say that I'm aghast that another CA
> (who by their inclusion in the Mozilla root program has agreed to stay
> abreast of developments on this list) has issued for the exact same
> entity and name that already led to significant controversy covered on
> this list less than a year ago.

This is a real legal entity, which almost certainly went through proper EV validation. Everything appears to be in order.

> I believe that speaks to inattention to the list or failure to
> incorporate lessons learned from controversies on this list into
> issuance and/or validation practice.

I strongly disagree. Everything is operating correctly. Corporate entity names are not unique, which is why EV is not useful. There were no lessons to be learned from the previous thread other than the fact that EV does not provide any useful guarantees to Mozilla's users.

Jonathan

Alex Gaynor

unread,
Apr 11, 2018, 3:24:18 PM4/11/18
to Matthew Hardeman, mozilla-dev-s...@lists.mozilla.org
I disagree on what this is evidence of:

It's evidence that the claimed benefits of EV (by CA, WRT phishing) do not
match the technical reality. As Ryan noted, as far as I'm aware this
certificate violates neither the BRs, nor the EVG.

Alex

On Wed, Apr 11, 2018 at 2:48 PM, Matthew Hardeman via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> Additionally, I think it's fair to say that I'm aghast that another CA
> (who by their inclusion in the Mozilla root program has agreed to stay
> abreast of developments on this list) has issued for the exact same entity
> and name that already led to significant controversy covered on this list
> less than a year ago.
>
> I believe that speaks to inattention to the list or failure to incorporate
> lessons learned from controversies on this list into issuance and/or
> validation practice.
>
> On Wednesday, April 11, 2018 at 1:19:03 PM UTC-5, Ryan Sleevi wrote:
>
> > Could you clarify what you're aghast at?
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

Matthew Hardeman

unread,
Apr 11, 2018, 3:28:03 PM4/11/18
to Jonathan Rudenberg, mozilla-dev-security-policy
This absolutely appears to be valid issuance.

And if it's valid issuance, that raises questions about the value of EV, if
we accept that the definition of EV is static and unchangeable.

What I propose is that the community of CAs either recognize that it's
worthless and give up on it - or - recognize that it's worthless as-is and
rapidly make significant changes in order to make it valuable to users and
attempt to save it.

It was injudicious of a CA to issue another certificate in this name for
this entity after the already well documented controversy. Did they just
not care that it would invite trouble or did they not know that it would
invite controversy and trouble because they didn't track it the first time
around?


On Wed, Apr 11, 2018 at 2:23 PM, Jonathan Rudenberg <jona...@titanous.com>
wrote:

Jonathan Rudenberg

unread,
Apr 11, 2018, 3:32:12 PM4/11/18
to mozilla-dev-s...@lists.mozilla.org, Matthew Hardeman
On Wed, Apr 11, 2018, at 15:27, Matthew Hardeman via dev-security-policy wrote:
> It was injudicious of a CA to issue another certificate in this name for
> this entity after the already well documented controversy. Did they just
> not care that it would invite trouble or did they not know that it would
> invite controversy and trouble because they didn't track it the first time
> around?

What "trouble" is being invited? I don't see a problem. Everything is operating exactly as expected. GoDaddy did nothing wrong.

Matthew Hardeman

unread,
Apr 11, 2018, 3:35:28 PM4/11/18
to Alex Gaynor, mozilla-dev-s...@lists.mozilla.org
I'm not sure why it can't be evidence of both.

Is it an offense by GoDaddy for which there should be repercussions from
the root programs towards GoDaddy? No.

You're correct that it illustrates that EV has an enormous value gap in its
current form. My own opinion is that I would rather see that fixed than no
mechanism remain for tying websites to the physical world.

I do not believe it is impossible to fix.

On Wed, Apr 11, 2018 at 2:23 PM, Alex Gaynor <aga...@mozilla.com> wrote:

> I disagree on what this is evidence of:
>
> It's evidence that the claimed benefits of EV (by CA, WRT phishing) do not
> match the technical reality. As Ryan noted, as far as I'm aware this
> certificate violates neither the BRs, nor the EVG.
>
> Alex
>
> On Wed, Apr 11, 2018 at 2:48 PM, Matthew Hardeman via dev-security-policy
> <dev-secur...@lists.mozilla.org> wrote:
>
>> Additionally, I think it's fair to say that I'm aghast that another CA
>> (who by their inclusion in the Mozilla root program has agreed to stay
>> abreast of developments on this list) has issued for the exact same entity
>> and name that already led to significant controversy covered on this list
>> less than a year ago.
>>
>> I believe that speaks to inattention to the list or failure to
>> incorporate lessons learned from controversies on this list into issuance
>> and/or validation practice.
>>
>> On Wednesday, April 11, 2018 at 1:19:03 PM UTC-5, Ryan Sleevi wrote:
>>
>> > Could you clarify what you're aghast at?

Matthew Hardeman

unread,
Apr 11, 2018, 3:41:09 PM4/11/18
to Jonathan Rudenberg, mozilla-dev-security-policy
Isn't that question a little disingenuous?

There was massive controversy in the mainstream tech press and throughout
the InfoSec press and elsewhere when a certificate with this EV indication
for this entity name for this website and purpose previously issued. It
invites trouble in the sense that one must assume that the reaction will be
more of the same -- worse, actually, as it now suggests that the last time
wasn't a fluke.

It is difficult to believe that a rational actor would not expect an
issuance of the same nature as last time to yield anything other than the
same controversy.

For most commercial entities, taking an action that results in something
you're able to monetize and sell today becoming something you can no longer
meaningfully sell tomorrow is "inviting trouble".

Matt

On Wed, Apr 11, 2018 at 2:31 PM, Jonathan Rudenberg <jona...@titanous.com>
wrote:

>
>

Eric Mill

unread,
Apr 12, 2018, 10:21:25 AM4/12/18
to Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Matthew Hardeman
I'll go further, and protest why the EV cert was revoked. Why can't Ian
have a "Stripe, Inc." EV certificate for his business if he wants to? What
makes the payment processing company somehow more deserving of one than
Ian's company? Why was GoDaddy allowed to effectively take Ian's site down
without his consent?

If this is how EV is going to be handled, I think it's time to seriously
discuss removing the display of EV information from Mozilla products.

-- Eric

On Wed, Apr 11, 2018 at 3:31 PM, Jonathan Rudenberg via dev-security-policy
<dev-secur...@lists.mozilla.org> wrote:

> On Wed, Apr 11, 2018, at 15:27, Matthew Hardeman via dev-security-policy
> wrote:
> > It was injudicious of a CA to issue another certificate in this name for
> > this entity after the already well documented controversy. Did they just
> > not care that it would invite trouble or did they not know that it would
> > invite controversy and trouble because they didn't track it the first
> time
> > around?
>
> What "trouble" is being invited? I don't see a problem. Everything is
> operating exactly as expected. GoDaddy did nothing wrong.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



--
konklone.com | @konklone <https://twitter.com/konklone>

Matthew Hardeman

unread,
Apr 12, 2018, 11:05:16 AM4/12/18
to Eric Mill, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org
Because normal users don't understand that there can be more than one
Stripe, Inc and why there can be.

Many normal users know there's this thing called Stripe that a lot of
websites use for payment and that it's legit.

I'm good with EV becoming a popularity contest. I'd be good with
publish-for-opposition. Much could be enhanced here.

Third party legitimacy signals are something many end users want.

I'm well aware that gets into the subjective.

Having said that, if a vacuum is created in that space, the various CAs and
some far less scrupulous "security" companies will come up with an
endorsement badge concept for active vulnerability scanning, etc.

The tradeoff for having EV in the browser UI is that at least some of the
strong minds in the community get to shape that program and requirements.

You could drop it from the browser UIs. They'll just move it to the
content pane.

But no matter how hard you try, you'll not break the end-user from looking
for what they perceive as a third-party legitimacy endorsement.

I'd very much like to see EV transformed to require individual validation
with name and contact point in the certificate. I understand that has
significant privacy implications, but EV is optional anyway.

Today, EV is supposed to provide strong real-world identity. I think it
should be extended to speak to signaled commitment of legitimate intent.
Which means policing EV certificate holders, revoking for other than
endorsed use cases.

Ryan Sleevi

unread,
Apr 12, 2018, 11:11:21 AM4/12/18
to Eric Mill, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Matthew Hardeman
Indeed, I find it concerning that several CAs were more than happy to take
Ian's money for the issuance, but then determined (without apparent cause
or evidence) to revoke the certificate. Is there any evidence that this
certificate was misissued - that the information was not correct? Is there
evidence that Ian, as Subscriber, or stripe.ian.sh, as domain holder,
requested this certificate to be revoked?

If anything, this highlights the deeply concerning practices of revocation
by CAs, and their ability to disrupt services of legitimate businesses.

Matthew Hardeman

unread,
Apr 12, 2018, 11:37:24 AM4/12/18
to Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill
As far as I've seen there's no notion of "shall issue" or "must issue" in
any of the guidelines.

In other words, it would appear that CAs are free to restrict issuance or
restrict use and validity of EV certificates (or any other certificates,
for that matter) if they so choose.

Mr. Carroll may have a commercial dispute between himself or his entity and
the CAs, but that's a routine commercial dispute. It appears likely that
the terms of engagement with most of the commercial CAs would grant the CA
cover to revoke if they find the certificate or its use to be perverse to
security or likely to cause risk, etc.

Is there a censorship aspect there? Perhaps. As has been noted before,
however, we're forced to tolerate that from Microsoft anyway.

Eric Mill

unread,
Apr 12, 2018, 11:55:31 AM4/12/18
to Matthew Hardeman, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org
It's not clear that end users pay any attention to EV UI, or properly
understand what they're looking at. It's especially unclear whether, if a
user went to a site that was *lacking* EV but just had a DV/OV UI, that the
user would notice anything at all.

That's the status quo. This incident makes it more clear that even if we
invested more in EV UI in some way, it would only exacerbate a capricious
dynamic where CAs are responsible for deciding which brands and companies
are more important than others, and use arbitrary and undefined criteria to
decide whether a legitimate web service and registered business entity will
suffer immediate downtime.

Fortunately, because so few users make decisions based on EV UI, it's also
not clear Mozilla would suffer much in the way of first-mover disadvantage
by removing it. Users choose what browsers they use, not CAs, and the loss
of EV UI seems unlikely to generate much in the way of users switching
their user agents.

-- Eric



On Thu, Apr 12, 2018 at 11:35 AM, Matthew Hardeman <mhar...@gmail.com>
wrote:

Matthew Hardeman

unread,
Apr 12, 2018, 12:00:36 PM4/12/18
to Eric Mill, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org
It's not clear to me how the determination that not many end users rely on
the distinguished UI.

Is this done by survey?

How likely is it that the people who do utilize such things would even
bother to answer a one question survey?

Wayne Thayer

unread,
Apr 12, 2018, 12:33:14 PM4/12/18
to Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Matthew Hardeman
On Thu, Apr 12, 2018 at 8:10 AM, Ryan Sleevi via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> Indeed, I find it concerning that several CAs were more than happy to take
> Ian's money for the issuance, but then determined (without apparent cause
> or evidence) to revoke the certificate. Is there any evidence that this
> certificate was misissued - that the information was not correct? Is there
> evidence that Ian, as Subscriber, or stripe.ian.sh, as domain holder,
> requested this certificate to be revoked?
>
> If anything, this highlights the deeply concerning practices of revocation
> by CAs, and their ability to disrupt services of legitimate businesses.
>
> BR 4.9.1.1 states that a CA SHALL revoke a certificate within 24 hours if "The
CA determines that any of the information appearing in the Certificate is
inaccurate or misleading" I'm sympathetic to the arguments being made here,
but the whole point of this discussion is that the EV information presented
to users is misleading, so these CAs did what was required of them.

Eric Mill

unread,
Apr 12, 2018, 12:41:21 PM4/12/18
to Wayne Thayer, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Matthew Hardeman
On Thu, Apr 12, 2018 at 12:32 PM, Wayne Thayer <wth...@mozilla.com> wrote:

> On Thu, Apr 12, 2018 at 8:10 AM, Ryan Sleevi via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
>> Indeed, I find it concerning that several CAs were more than happy to take
>> Ian's money for the issuance, but then determined (without apparent cause
>> or evidence) to revoke the certificate. Is there any evidence that this
>> certificate was misissued - that the information was not correct? Is there
>> evidence that Ian, as Subscriber, or stripe.ian.sh, as domain holder,
>> requested this certificate to be revoked?
>>
>> If anything, this highlights the deeply concerning practices of revocation
>> by CAs, and their ability to disrupt services of legitimate businesses.
>>
>> BR 4.9.1.1 states that a CA SHALL revoke a certificate within 24 hours if
> "The CA determines that any of the information appearing in the
> Certificate is inaccurate or misleading" I'm sympathetic to the arguments
> being made here, but the whole point of this discussion is that the EV
> information presented to users is misleading, so these CAs did what was
> required of them.
>

That's not accurate -- the EV information presented to users was not
misleading. It correctly described Ian's registered company. The
certificate was incorrectly revoked. We should probably be discussing
whether punitive measures are appropriate for this revocation.

-- Eric

Ryan Sleevi

unread,
Apr 12, 2018, 12:45:40 PM4/12/18
to Wayne Thayer, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Matthew Hardeman
On Thu, Apr 12, 2018 at 12:32 PM, Wayne Thayer <wth...@mozilla.com> wrote:

> On Thu, Apr 12, 2018 at 8:10 AM, Ryan Sleevi via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
>> Indeed, I find it concerning that several CAs were more than happy to take
>> Ian's money for the issuance, but then determined (without apparent cause
>> or evidence) to revoke the certificate. Is there any evidence that this
>> certificate was misissued - that the information was not correct? Is there
>> evidence that Ian, as Subscriber, or stripe.ian.sh, as domain holder,
>> requested this certificate to be revoked?
>>
>> If anything, this highlights the deeply concerning practices of revocation
>> by CAs, and their ability to disrupt services of legitimate businesses.
>>
>> BR 4.9.1.1 states that a CA SHALL revoke a certificate within 24 hours if
> "The CA determines that any of the information appearing in the
> Certificate is inaccurate or misleading" I'm sympathetic to the arguments
> being made here, but the whole point of this discussion is that the EV
> information presented to users is misleading, so these CAs did what was
> required of them.
>

In what way is it misleading though? It fully identified the organization
that exists, which is a legitimate organization. Thus, the information that
appears within the certificate itself is not misleading - and I don't think
4.9.1.1 applies.

Or are we saying it's misleading because some browsers only display a
portion of that information in their security UI? If so, is that a failure
of the security UI (for not showing all the information present)? Or is the
argument that it's misleading if any two entities share the same O and C
(the information displayed)? Is it still misleading if the Cs differ? If
this is the vein to take, should CAs then be responsible for examining CT
(or other sources) to determine if two organizations share the same (or
similar?) names, regardless of incorporation location, and refuse to issue
if there is an extant cert for a different organization? Or we can continue
taking the argument further, by suggesting that if a smaller organization
gets the cert first, they could find their cert revoked if a more 'popular'
organization with the same name wants a cert instead.

In the DNS space, this is an extremely complex, nuanced issue, with the
whole Uniform Domain-Name Dispute Resolution Policy established, in part,
to try to put parties on semi-equitable footing. The current approach being
taken by CAs lacks that, lacks the transparency, and lacks the neutrality -
all things one would expect from such policies.

Matthew Hardeman

unread,
Apr 12, 2018, 12:50:30 PM4/12/18
to Eric Mill, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Wayne Thayer
On Thu, Apr 12, 2018 at 11:40 AM, Eric Mill <er...@konklone.com> wrote:

>
> That's not accurate -- the EV information presented to users was not
> misleading. It correctly described Ian's registered company. The
> certificate was incorrectly revoked. We should probably be discussing
> whether punitive measures are appropriate for this revocation.
>
> -- Eric
>
>

That turns on your definition of "misleading", however. It's entirely
possible to be 100% accurate with factual statements and yet present them
in a light that is absolutely "misleading".

Did the certificate present incorrect factual data? No.

Does a user on the Internet who believes he is dealing with "Stripe" expect
that he's dealing with that particular Stripe which processes payments?
Yes, in general.

If you're an internet user and the name Stripe is presented one of two
reactions will arise:

1. You're not aware of any Stripe at all.
- or -
2. You've used Stripe on one of a great many website to pay. If you
remember the name at all, you remember and expect Stripe to be that
particular stripe.

It's misleading to present the name "Stripe" to an Internet user if you
don't mean that particular Stripe.

Matthew Hardeman

unread,
Apr 12, 2018, 12:54:29 PM4/12/18
to Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Wayne Thayer
On Thu, Apr 12, 2018 at 11:45 AM, Ryan Sleevi <ry...@sleevi.com> wrote:

>
> In what way is it misleading though? It fully identified the organization
> that exists, which is a legitimate organization. Thus, the information that
> appears within the certificate itself is not misleading - and I don't think
> 4.9.1.1 applies.
>

Because the common Internet user who has any awareness of the name Stripe
will expect that reference to be to the particular Stripe that processes
payments and that they've likely interacted with before.


>
> Or are we saying it's misleading because some browsers only display a
> portion of that information in their security UI? If so, is that a failure
> of the security UI (for not showing all the information present)? Or is the
> argument that it's misleading if any two entities share the same O and C
> (the information displayed)? Is it still misleading if the Cs differ? If
> this is the vein to take, should CAs then be responsible for examining CT
> (or other sources) to determine if two organizations share the same (or
> similar?) names, regardless of incorporation location, and refuse to issue
> if there is an extant cert for a different organization? Or we can continue
> taking the argument further, by suggesting that if a smaller organization
> gets the cert first, they could find their cert revoked if a more 'popular'
> organization with the same name wants a cert instead.
>
>
The smaller organization loosing the name to a more popular later comer is
possible, but it's unlikely that the party who arrives later will be able
to take the name if the smaller entity fights for it. For that matter,
larger entities usually diligently search for a unique name to either buy
if need be or claim for their own.


> In the DNS space, this is an extremely complex, nuanced issue, with the
> whole Uniform Domain-Name Dispute Resolution Policy established, in part,
> to try to put parties on semi-equitable footing. The current approach being
> taken by CAs lacks that, lacks the transparency, and lacks the neutrality -
> all things one would expect from such policies.
>

There's no reason to make it that complex. EV is an enhancement, not a
requirement. The displayed name should be the issued to that party which
the largest majority of users recognize that name as being affiliated with.

Wayne Thayer

unread,
Apr 12, 2018, 1:03:59 PM4/12/18
to Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Matthew Hardeman
On Thu, Apr 12, 2018 at 9:45 AM, Ryan Sleevi <ry...@sleevi.com> wrote:

>
>
> On Thu, Apr 12, 2018 at 12:32 PM, Wayne Thayer <wth...@mozilla.com>
> wrote:
>
>> On Thu, Apr 12, 2018 at 8:10 AM, Ryan Sleevi via dev-security-policy <
>> dev-secur...@lists.mozilla.org> wrote:
>>
>>> Indeed, I find it concerning that several CAs were more than happy to
>>> take
>>> Ian's money for the issuance, but then determined (without apparent cause
>>> or evidence) to revoke the certificate. Is there any evidence that this
>>> certificate was misissued - that the information was not correct? Is
>>> there
>>> evidence that Ian, as Subscriber, or stripe.ian.sh, as domain holder,
>>> requested this certificate to be revoked?
>>>
>>> If anything, this highlights the deeply concerning practices of
>>> revocation
>>> by CAs, and their ability to disrupt services of legitimate businesses.
>>>
>>> BR 4.9.1.1 states that a CA SHALL revoke a certificate within 24 hours
>> if "The CA determines that any of the information appearing in the
>> Certificate is inaccurate or misleading" I'm sympathetic to the arguments
>> being made here, but the whole point of this discussion is that the EV
>> information presented to users is misleading, so these CAs did what was
>> required of them.
>>
>
> In what way is it misleading though? It fully identified the organization
> that exists, which is a legitimate organization. Thus, the information that
> appears within the certificate itself is not misleading - and I don't think
> 4.9.1.1 applies.
>
> I would refer you to your email, kicking off the 150+ message thread on
this topic back in December, that included these statements:

"...and more importantly, how easy it is to obtain certificates that may
confuse or mislead users"
"given the ability to provide accurate-but-misleading information in EV
certificates,..."

https://groups.google.com/d/msg/mozilla.dev.security.policy/szD2KBHfwl8/kWLDMfPhBgAJ

Or are we saying it's misleading because some browsers only display a
> portion of that information in their security UI? If so, is that a failure
> of the security UI (for not showing all the information present)? Or is the
> argument that it's misleading if any two entities share the same O and C
> (the information displayed)? Is it still misleading if the Cs differ? If
> this is the vein to take, should CAs then be responsible for examining CT
> (or other sources) to determine if two organizations share the same (or
> similar?) names, regardless of incorporation location, and refuse to issue
> if there is an extant cert for a different organization? Or we can continue
> taking the argument further, by suggesting that if a smaller organization
> gets the cert first, they could find their cert revoked if a more 'popular'
> organization with the same name wants a cert instead.
>
> In the DNS space, this is an extremely complex, nuanced issue, with the
> whole Uniform Domain-Name Dispute Resolution Policy established, in part,
> to try to put parties on semi-equitable footing. The current approach being
> taken by CAs lacks that, lacks the transparency, and lacks the neutrality -
> all things one would expect from such policies.
>

I agree with this, but the current approach taken by CAs is defined in the
BRs, so pointing fingers at individual CAs is not the solution. Based on
this argument, the requirement to revoke when a certificate contains
misleading information should be removed from the BRs.

Matthew Hardeman

unread,
Apr 12, 2018, 1:07:11 PM4/12/18
to Wayne Thayer, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill
On Thu, Apr 12, 2018 at 12:03 PM, Wayne Thayer <wth...@mozilla.com> wrote:
>
>
> I agree with this, but the current approach taken by CAs is defined in the
> BRs, so pointing fingers at individual CAs is not the solution. Based on
> this argument, the requirement to revoke when a certificate contains
> misleading information should be removed from the BRs.
>

And that would seem like a really perverse outcome.

Ryan Sleevi

unread,
Apr 12, 2018, 1:24:42 PM4/12/18
to Matthew Hardeman, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Wayne Thayer
On Thu, Apr 12, 2018 at 12:50 PM, Matthew Hardeman <mhar...@gmail.com>
wrote:
>
> It's misleading to present the name "Stripe" to an Internet user if you
> don't mean that particular Stripe.
>

So Apple Computer is misleading to customers of Apple Records, and Apple
Records is misleading to customers of Apple Computer, is that the argument?
In which case, no one named "Apple" should a certificate, right?

Ryan Sleevi

unread,
Apr 12, 2018, 1:27:58 PM4/12/18
to Matthew Hardeman, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Wayne Thayer
On Thu, Apr 12, 2018 at 12:54 PM, Matthew Hardeman <mhar...@gmail.com>
wrote:
>
> Because the common Internet user who has any awareness of the name Stripe
> will expect that reference to be to the particular Stripe that processes
> payments and that they've likely interacted with before.
>

This is a patently distateful argument based on broad generalizations that
do not hold any merit. I realize you've acknowledged your argument is
fundamentally a popularity contest, but it seems to really base its core on
"Whoever Matthew Hardeman doesn't think should have a certificate" -
because there's zero data to support your claim that "will expect", or a
definition of what constitutes a "common Internet user" (especially in a
global context). I realize it sounds compelling, but you're making up
strawmen to support that argument, and the core is an opposition to some
people being able to get (EV) certificates as a result.


> In the DNS space, this is an extremely complex, nuanced issue, with the
>> whole Uniform Domain-Name Dispute Resolution Policy established, in part,
>> to try to put parties on semi-equitable footing. The current approach being
>> taken by CAs lacks that, lacks the transparency, and lacks the neutrality -
>> all things one would expect from such policies.
>>
>
> There's no reason to make it that complex. EV is an enhancement, not a
> requirement. The displayed name should be the issued to that party which
> the largest majority of users recognize that name as being affiliated with.
>

So the rules are made up and the certificates are meaningless, then, since
it's all a popularity contest with shifting requirements based on made up
ideas. It's certificate Calvinball, and it's a rather silly game to play
because of it.

Matthew Hardeman

unread,
Apr 12, 2018, 1:28:56 PM4/12/18
to Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Wayne Thayer
On Thu, Apr 12, 2018 at 12:24 PM, Ryan Sleevi <ry...@sleevi.com> wrote:

>
> So Apple Computer is misleading to customers of Apple Records, and Apple
> Records is misleading to customers of Apple Computer, is that the argument?
> In which case, no one named "Apple" should a certificate, right?
>
>
Your example is perfect support for my position.

Apple Computer and Apple Records have a long and well published animosity
between them over sharing the name, but between lawsuits and settlement
actions have managed to arrive at agreement where both can be Apple for
certain uses and in certain scopes.

What does the average internet user expect Apple to refer to? Yep - Apple
the computer / iPhone people. Want it to say Apple? It needs to be them.

If Apple Records wants an EV certificate that clearly says Apple Records I
think that's clearly different enough that they should be able to. But
not Apple, that's perverse to simple common everyday expectation.

Wayne Thayer

unread,
Apr 12, 2018, 1:33:19 PM4/12/18
to Matthew Hardeman, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill
On Thu, Apr 12, 2018 at 10:28 AM, Matthew Hardeman <mhar...@gmail.com>
wrote:

>
>
In this example, I believe the EV certs would contain O = "Apple, Inc." and
O = "Apple Corps Ltd", or at least O = "Apple Records (Apple Corps Ltd)"

Ryan Sleevi

unread,
Apr 12, 2018, 1:33:48 PM4/12/18
to Wayne Thayer, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Matthew Hardeman
On Thu, Apr 12, 2018 at 1:03 PM, Wayne Thayer <wth...@mozilla.com> wrote:

> On Thu, Apr 12, 2018 at 9:45 AM, Ryan Sleevi <ry...@sleevi.com> wrote:
>
>>
>>
>> On Thu, Apr 12, 2018 at 12:32 PM, Wayne Thayer <wth...@mozilla.com>
So that seems to support the "it's misleading because some browsers only
display a portion of that information in their security UI". If Firefox
showed the full certificate details, would it have been misleading?
Similarly, if I make a custom fork of Chromium that displays the first four
characters of the O field, and get Eric to say he uses it, does that make
it misleading to (some) browsers?

It's a very slippery slope, and while I agree it's taking the argument to
an obvious extreme, the degree of subjectivity being exercised by CAs here
(and encouraged by Matthew) is worth calling out - that this isn't a
bright-line in any shape, but rather, an entirely subjective and arbitrary
revocation.


>
> Or are we saying it's misleading because some browsers only display a
>> portion of that information in their security UI? If so, is that a failure
>> of the security UI (for not showing all the information present)? Or is the
>> argument that it's misleading if any two entities share the same O and C
>> (the information displayed)? Is it still misleading if the Cs differ? If
>> this is the vein to take, should CAs then be responsible for examining CT
>> (or other sources) to determine if two organizations share the same (or
>> similar?) names, regardless of incorporation location, and refuse to issue
>> if there is an extant cert for a different organization? Or we can continue
>> taking the argument further, by suggesting that if a smaller organization
>> gets the cert first, they could find their cert revoked if a more 'popular'
>> organization with the same name wants a cert instead.
>>
>> In the DNS space, this is an extremely complex, nuanced issue, with the
>> whole Uniform Domain-Name Dispute Resolution Policy established, in part,
>> to try to put parties on semi-equitable footing. The current approach being
>> taken by CAs lacks that, lacks the transparency, and lacks the neutrality -
>> all things one would expect from such policies.
>>
>
> I agree with this, but the current approach taken by CAs is defined in the
> BRs, so pointing fingers at individual CAs is not the solution. Based on
> this argument, the requirement to revoke when a certificate contains
> misleading information should be removed from the BRs.
>

I agree that the BRs and EVGs provide substantial (unlimited) leeway for
CAs to revoke certificates for any reason or no reason at all. Unlike users
who have choices in browsers and devices, however, server operators lack
meaningful choices, as there are only a limited number of trusted
organizations, and unlike the registry/registrar split of the domain name
system (which seeks to balance the interests by separating out the TLD
operators from the domain sellers), the root CAs have concentrated policy
power that they can flow down to their entire hierarchy. So, unlike domain
names, in which if a registrar doesn't want to do business with you, you
can start your own registrar (and the registry must accept if you're
qualified), if you're denied a cert or your service is interrupted for such
capricious reasons, you're SOL.

Because of this, it's incumbent upon interested parties to point fingers at
individual CAs when they abuse that position to capriciously disrupt
otherwise qualified services for arbitrary reasons.

Ryan Sleevi

unread,
Apr 12, 2018, 1:34:28 PM4/12/18
to Matthew Hardeman, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Wayne Thayer
On Thu, Apr 12, 2018 at 1:28 PM, Matthew Hardeman <mhar...@gmail.com>
wrote:

>
>
> On Thu, Apr 12, 2018 at 12:24 PM, Ryan Sleevi <ry...@sleevi.com> wrote:
>
>>
>> So Apple Computer is misleading to customers of Apple Records, and Apple
>> Records is misleading to customers of Apple Computer, is that the argument?
>> In which case, no one named "Apple" should a certificate, right?
>>
>>
> Your example is perfect support for my position.
>

Thank you for clarifying. I think your position is terrible :)

Matthew Hardeman

unread,
Apr 12, 2018, 1:53:00 PM4/12/18
to Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Wayne Thayer
On Thu, Apr 12, 2018 at 12:27 PM, Ryan Sleevi <ry...@sleevi.com> wrote:

This is a patently distateful argument based on broad generalizations that
> do not hold any merit. I realize you've acknowledged your argument is
> fundamentally a popularity contest, but it seems to really base its core on
> "Whoever Matthew Hardeman doesn't think should have a certificate" -
> because there's zero data to support your claim that "will expect", or a
> definition of what constitutes a "common Internet user" (especially in a
> global context). I realize it sounds compelling, but you're making up
> strawmen to support that argument, and the core is an opposition to some
> people being able to get (EV) certificates as a result.
>

I understand and respect with your position here, without agreeing with
it. You've clearly been a force for improving internet security for the
masses and each of us daily benefits from the work that you do. Having
said that, I regard as "patently distasteful" your assertion that users are
so inept with evaluating an EV indicator that the indicator should not be
available as a differentiator for those who wish to go the extra distance
to expose their offline identities. The "common Internet user" probably
won't find my assumptions about them to be offensive.


>
>
> So the rules are made up and the certificates are meaningless, then, since
> it's all a popularity contest with shifting requirements based on made up
> ideas. It's certificate Calvinball, and it's a rather silly game to play
> because of it.
>

Just because a selection criteria is hard to codify does not mean that it's
not worth doing. Will there always be a subjective aspect? Probably.

As far as anyone has demonstrated, it remains the case that no one who has
relied upon EV indication as a signal of enhanced trustworthiness has
suffered consequence for that. Certainly the same can not be said for the
little green lock alone. In order for EV to maintain the clean "user who
relied upon this hasn't been phished", the CAs issuing EV certificates will
necessarily have to become more selective about issuance.

I understand the overarching goal is likely to eliminate all security
indicators in the long run. Ultimately, in a 100% TLS world with at least
valid DV certificates, we can say that there's no need as everything is
encrypted and that the communication is authenticated as being exchanged
with a host at the target domain-label in the URL bar. That allows the
browsers to wash their hands of advising the user of security data points.
It's also not how human nature works. The universe abhors a vacuum and in
the absence of an indicator in browser UI, they will seek it in droves from
some ridiculous scheme sold by charlatans and implemented in the content
pane. Those ridiculous security badges are still a thing for that reason.
People like having something to compare or test.

Ryan Sleevi

unread,
Apr 12, 2018, 1:53:45 PM4/12/18
to Wayne Thayer, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Matthew Hardeman
On Thu, Apr 12, 2018 at 1:32 PM, Wayne Thayer <wth...@mozilla.com> wrote:

> On Thu, Apr 12, 2018 at 10:28 AM, Matthew Hardeman <mhar...@gmail.com>
> wrote:
>
>>
>>
>> On Thu, Apr 12, 2018 at 12:24 PM, Ryan Sleevi <ry...@sleevi.com> wrote:
>>
>>>
>>> So Apple Computer is misleading to customers of Apple Records, and Apple
>>> Records is misleading to customers of Apple Computer, is that the argument?
>>> In which case, no one named "Apple" should a certificate, right?
>>>
>>>
>> Your example is perfect support for my position.
>>
>> Apple Computer and Apple Records have a long and well published animosity
>> between them over sharing the name, but between lawsuits and settlement
>> actions have managed to arrive at agreement where both can be Apple for
>> certain uses and in certain scopes.
>>
>> What does the average internet user expect Apple to refer to? Yep -
>> Apple the computer / iPhone people. Want it to say Apple? It needs to be
>> them.
>>
>> If Apple Records wants an EV certificate that clearly says Apple Records
>> I think that's clearly different enough that they should be able to. But
>> not Apple, that's perverse to simple common everyday expectation.
>>
>
> In this example, I believe the EV certs would contain O = "Apple, Inc."
> and O = "Apple Corps Ltd", or at least O = "Apple Records (Apple Corps Ltd)"
>

Yet you can have O = "Apple (Apple, Inc.)" and O = "Apple (Apple Corps
Ltd.)", at least under the EVGs today.

Similarly, "Apple Computer", under the proposed methodology by Matthew,
would not have been able to get an EV certificate, as at the time, "Apple
Corps" was the more popular Apple. Which is part of why it's a terrible
idea.

Do we think those two Apple subject names are misleading? If yes, why? If
no, what makes "O=Stripe, Inc., ST=Kentucky" misleading compared to
"O=Stripe, Inc., ST=California"?

For that matter, why isn't "O=Stripe, Inc., ST=California,
jurisdictionStateOrProvinceName=Delaware" confusing - does the "average
Internet user" understand the distinction between those two states being
presented? Is saying they're in California misleading, since they're a
Delaware corporation? In that regard, Ian's certificate is less misleading
- he's incorporated where he operates.

Matthew Hardeman

unread,
Apr 12, 2018, 1:56:01 PM4/12/18
to Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Wayne Thayer
On Thu, Apr 12, 2018 at 12:52 PM, Ryan Sleevi <ry...@sleevi.com> wrote:

>
>
> For that matter, why isn't "O=Stripe, Inc., ST=California,
> jurisdictionStateOrProvinceName=Delaware" confusing - does the "average
> Internet user" understand the distinction between those two states being
> presented? Is saying they're in California misleading, since they're a
> Delaware corporation? In that regard, Ian's certificate is less misleading
> - he's incorporated where he operates.
>

He has actual operations in Kentucky?

Ryan Sleevi

unread,
Apr 12, 2018, 2:10:35 PM4/12/18
to Matthew Hardeman, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Eric Mill, Wayne Thayer
On Thu, Apr 12, 2018 at 1:55 PM, Matthew Hardeman <mhar...@gmail.com>
wrote:

>
>
Well, he has a corporate registration there, so by definition, yes.

Eric Mill

unread,
Apr 12, 2018, 2:25:43 PM4/12/18
to Wayne Thayer, Ryan Sleevi, Jonathan Rudenberg, mozilla-dev-s...@lists.mozilla.org, Matthew Hardeman
On Thu, Apr 12, 2018 at 1:03 PM, Wayne Thayer <wth...@mozilla.com> wrote:

> On Thu, Apr 12, 2018 at 9:45 AM, Ryan Sleevi <ry...@sleevi.com> wrote:
>
>>
>> In what way is it misleading though? It fully identified the organization
>> that exists, which is a legitimate organization. Thus, the information that
>> appears within the certificate itself is not misleading - and I don't think
>> 4.9.1.1 applies.
>>
>> I would refer you to your email, kicking off the 150+ message thread on
> this topic back in December, that included these statements:
>
> "...and more importantly, how easy it is to obtain certificates that may
> confuse or mislead users"
> "given the ability to provide accurate-but-misleading information in EV
> certificates,..."
>
> https://groups.google.com/d/msg/mozilla.dev.security.policy/szD2KBHfwl8/
> kWLDMfPhBgAJ
>

Ryan is allowed to change his mind on whether this should be considered
misleading. But either way, I do not believe either was misleading.

Ian's intent may have been to demonstrate EV's weaknesses, but that doesn't
mean Ian was intending to deceive users. If Ian had used this to try to get
people to enter their Stripe credentials or something, then that'd be one
thing. But registering an LLC and then creating a cert for it is a
legitimate activity.

If Ian shouldn't have been allowed to register this business, then that's
something the state/country he registered the business in should express
through laws or adjudication of the registration. The rules and criteria
for those processes are established in many countries through a process at
least nominally responsive to public values.

As it is, this effectively censors Ian's website where he is making a
statement about how EV works and how it interacts with
trademark/registration laws, through his own registered business. That
statement is -- and I'm being serious -- being oppressed, based on a
capricious decision by a CA.

Ian is now not able to maintain this public demonstration on the internet
in any browser (including Chrome, since it's EV), despite having committed
no crimes, not having engaged in any malicious behavior, and not harmed any
users.

That's not the kind of outcome I understand to be consistent with Mozilla's
values and commitment to an open web. I'm fine being told that it's not
fair to come down on any one CA right now, since it's happened a few times
and many folks have considered this normal. But I don't think this is
something Mozilla should continue to consider as normal business practices.

-- Eric

Matthew Hardeman

unread,
Apr 12, 2018, 2:41:55 PM4/12/18