[cabfpub] [cabfman] Improving the security of EV Certificates

Gervase Markham gerv at mozilla.org
Thu Dec 19 15:56:35 UTC 2013


On 19/12/13 04:01, kirk_hall at trendmicro.com wrote:
> Gerv -- on your last point, how would the issuing CA know that an
> inquiry was coming from its "own customer"?  An inquiry could come
> from someone pretending to be with a customer, or a member of the
> public, or someone who is with the customer but not contact we have
> dealt with. 

Yes, you are right.

Do we need to think now about how to reduce the incidence of false
complaints, or shall we wait and see if it's a problem in practice?

One could imagine, for example, if false complaints tended to be 3rd
parties complaining about certs for topsites, we could establish a
registry of "valid complainants" for topsites, such that a complaint
about something.foo.com could only come from the contact in the
registry, and all others could be discarded.

Just brainstorming...

> Today, CAs have to provide a means for anyone in the
> world to complain about a cert they have encountered.

So what is changing?

Gerv




More information about the Public mailing list