[cabfpub] Obtaining an EV cert for phishing

Ryan Sleevi sleevi at google.com
Tue Nov 28 18:58:07 UTC 2017 

To be fair, I was grossly simplifying the argument that it is:
a) A crime to mislead a QGIS, QIIS, or QTIS within either the Jurisdiction
of Incorporation or the Place of Business (as Ben and Kirk suggested)
b) A crime to use cert for 'evil' purposes, as Kirk suggested

There are many other reductions of the arguments being made here that would
also apply, but I thought it worth pointing out that the argument that it'd
be a crime to commit crime, is somewhat of a flawed tautology, and by no
means a way to conclude we'd prevent crime by criminalizing crime.

On Tue, Nov 28, 2017 at 1:35 PM, Christian Heutger via Public <
public at cabforum.org> wrote:

> It also means that a crime favours another crime, and that is exactly how
> criminals are caught, because they leave their mark, the more so, the
> better, because it makes it easier to get to the bottom of it. If you were
> to skip steps now, you would also deprive yourself of opportunities to hunt
> down criminals.
>
>
>
> *Von: *Public <public-bounces at cabforum.org> im Auftrag von Ryan Sleevi
> via Public <public at cabforum.org>
> *Antworten an: *Ryan Sleevi <sleevi at google.com>, CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Datum: *Dienstag, 28. November 2017 um 19:26
> *An: *Ben Wilson <ben.wilson at digicert.com>, CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Betreff: *Re: [cabfpub] Obtaining an EV cert for phishing
>
>
>
> Just to square these comments:
>
>
>
> Kirk's position was that EV certificates provide a way of tracking those
> who'd commit crime online because they have to disclose identity.
>
> Gerv and James pointed out that the identity information is only as useful
> as it is vetted, and there's scenarios where the vetting may not be
> rigorous.
>
> Ben pointed out that it'd be a crime to lie to the government (although,
> as a broad statement, this varies by jurisdiction)
>
>
>
> By combining these views, it seems like we're in agreement that criminals
> who are willing to commit crime may need to commit crime to commit crime.
> That doesn't seem like the requirement to commit crime would deter a
> criminal from committing crime, but what do I know - I'm not a criminal (I
> don't think...)
>
>
>
> On Tue, Nov 28, 2017 at 12:50 PM, Ben Wilson via Public <
> public at cabforum.org> wrote:
>
> Gerv wrote: I would say that the EV Guidelines allow EV issuers to trust
> things which are QGISes because there's an assumption that information in a
> Government information source will have had some level of checking.
>
> I'd disagree.  QGISes are relied upon because everyone relies on them
> because lying to the government is a crime.
>
>
>
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
> Markham via Public
> Sent: Tuesday, November 28, 2017 10:46 AM
> To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; James Burton <
> james at sirburton.com>; CA/Browser Forum Public Discussion List <
> public at cabforum.org>
> Subject: Re: [cabfpub] Obtaining an EV cert for phishing
>
> Hi Kirk,
>
> On 28/11/17 17:03, Kirk Hall wrote:
> > Thanks for the additional information, James.  In the end, the EV
> > Guidelines did exactly what they were designed to do – they provided a
> > way for the public to find you (as the company owner) if you used your
> > EV certificate and domain to do something wrong.
>
> They did, but only because he was honest. He is pointing out that it may
> not be difficult, due to the lack of checking, for a dishonest person to
> use fake information. I do think that's an issue of concern.
>
> I would say that the EV Guidelines allow EV issuers to trust things which
> are QGISes because there's an assumption that information in a Government
> information source will have had some level of checking. But it seems from
> this experience that this is not true in all cases. That concerns me. Do we
> have to agree that Companies House is not a valid QGIS?
>
> This is not a phishing issue, it's a more general "integrity of the EV
> process" issue.
>
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171128/2c3ac00c/attachment-0003.html>

More information about the Public mailing list