On Mon, Dec 11, 2017 at 1:37 PM, Ryan Sleevi <
ry...@sleevi.com> wrote:
>
>
> On Mon, Dec 11, 2017 at 2:31 PM, Matthew Hardeman via dev-security-policy
> <
dev-secur...@lists.mozilla.org> wrote:
>
>> (Reposting as I accidentally replied directly to OP ).
>>
>> Part of this discussion will necessarily have to include who the intended
>> and potential beneficiaries of EV certificate status are:
>>
>> 1. Is it the common web end user? If so, EV either needs to go or be
>> massively changed.
>> 2. Is it for the kind of person who could properly investigate corporate
>> documents and structure AND would have some benefit in knowing that a
>> given
>> website is asserted by cryptographic signature to be affiliated to a given
>> real world entity? If so, few changes are needed but several could be
>> helpful.
>>
>
> Agreed that these are potential goals, which is why I tried to provide a
> specific and narrow set of questions, so that we can avoid ratholing on
> those.
>
> Specifically, I was asking about 1, as that is what comes from the UI
> treatment. A conclusion of 2 implies the UI should go.
>
In general I would concur that if #2, the UI should go. I think it's
appropriate to raise a question of whether EV can be fixed rather than
dropped. I concur that as it sits, it's broken and can be exploited to
achieve an outcome perverse to EV's stated goals.
>
>
>> 1. Requirement in objective/mostly objective terms of notoriety of
>> client. High note-worthiness of EV applicant would be required.
>> Validation procedures would modify to ensure that the commonly held "note
>> worthy" entity is actually the one applying.
>>
>
> Naturally, this falls apart at "Internet scale"
>
EV issuance is by requirement and definition a manual process. To the
extent that all manual processes fail at internet scale, sure. To the
extent that the outcome of a manual process can still provide useful
information to end users, I do not agree with your conclusion that this
falls apart.
>
>
>> 2. Stability of entity records. The corporate structure is known and has
>> been unchanged, perhaps for a year or more. Effectively, no EV for
>> startups or any new or restructured entity that can't show lengthly and
>> broad claim to the name.
>>
>
> This seems to create a bifurcated Internet which is not "open and
> accessible" (per Item 2 on the Mozilla Manifesto). Namely, if it favors or
> empowers incumbents, and the only ability to be trusted by users is to 'sit
> around' so you have a stable corporate identity, then we're not creating a
> neutral, open platform.
>
Let's be honest, here, though. EV status was intended to discriminate
against scammers, phishers, and resourceful MITMs. That's not "open and
accessible" either, strictly speaking. Yet, we've tolerated it.
>
>
>> If EV status is intended for business, asset management, and legal
>> professionals, then it's easier. Add mandatory validated parameters for
>> official registry from which the data was referenced (ex: Alabama
>> Secretary
>> of State, Corporations Division) as well as originally filed for
>> registration (ex: State of AL, County of Jefferson Probate Court). Give
>> the docket or document numbers or entity registration number as
>> appropriate
>> for each of these. Attempt to construe a scope of exclusivity and
>> indicate
>> that in lieu of just Country in the green bar.
>>
>
> The EV guidelines already encompass this information - the jurisdiction
> fields, combined with the serialNumber, which is the unique identifying
> number for that entity within the jurisdictional registry, which is unique
> per jurisdictional boundary.
>
Sadly, the current parameters do not fully encompass the legal
possibilities. At a minimum, it is deficient that the purportedly
authoritative registry, as according to the CA, is not explicitly named.