[Servercert-wg] Displaying secure sites to Internet users

Tobias S. Josefowitz tobij at opera.com
Sat Nov 16 11:39:37 MST 2019 

On Fri, 15 Nov 2019, Paul Walsh via Servercert-wg wrote:

>> On Nov 15, 2019, at 8:27 AM, Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org> wrote:
>>
>> Additionally, do you have any suggestions on how to ensure the 
>> identities expressed in certificates today are reliable? We have ample 
>> evidence that the information presently expressed in EV certificates 
>> cannot be relied upon, and that the standards (such as the EV 
>> Guidelines) do not provide the necessary or sufficient guidance to 
>> ensure the information is reliable.
>
> [PW] Again you ignore things being said because you either disagree or 
> you dislike the people saying them. If you disagree with things being 
> said by experts on this subject, you could at least reference them and 
> use data points from which to show us where and how you draw opposing 
> conclusions. At least then we can see why you say the things you say. 
> Right now I see zero logic to anything you assert about browser UI - 
> while also thinking you?re exceptionally articulate and smart in other 
> technical areas.
>
> You can start by pointing us to a single instance of when a criminal has 
> setup a company and obtained an EV certificate for the purpose of 
> carrying out criminal activity - feel free to go back as far as you 
> like. Please don?t bother to point to researchers who did this for the 
> purpose of showing that it can be done in theory. We all know it can be 
> done in theory, as we?re all smart here. So this can be addressed 
> separately.

Speaking of seeing logic, I cannot see how this would be relevant. You 
bring this up repeatedly, here and elsewhere, but I do not follow. 
Criminals not going to the trouble of getting EV certs for their 
undertakings could obviously be explained by a few things:

* It could simply be impossible.

The fact that researchers have done it shows us that it is not impossible, 
unless you would want to make the argument that there is something that 
enables researchers to do it that does somehow not apply to criminals.

* Criminals do not know about EV.

This is listed more for completeness, that argument is silly.

* It makes no economical sense for criminals to involve EV certificates.

I will boldly assume that everybody will agree this to be the true reason. 
Which in turn means a couple of things:

1) EV badges, in all their changing forms over the recent years, do not
    work, in the sense that, as in fact evidenced by the lack of EV
    phishing campaigns etc., users will happily interact with non-EV-sites
    in ways that are suitable to harm them significantly.

2) You assume another component in the solution that I am not aware of,
    which will be suitable to get users to stop happily interacting with
    non-EV-as-you-would-like-to-see-it sites.

and furthermore

3) It will not be economical, or be economical for criminals only to a
    much lesser degree, to engage in such activity as you are concerned
    with.

As has been pointed out, if 2+3) are the goal here, there could be ways of 
achieving that that do not even involve certificates whatsoever, somewhat 
putting in question if the CABF/SCWG is the right venue to discuss any 
such solutions to begin with.

Maybe even more important though, 2) is riddled with challenges, first and 
foremost the web has never been "pay to play" beyond a few relatively 
minor expenses required to put up a website, and any such solution for 2) 
should better not change that, as not having access to the solution would 
prevent hobbyists, enthusiasts, Open Source projects and maybe even small 
businesses from interacting with users in ways that could harm them (as by 
the supposed purpose of 2).

Thus, to reiterate, I fail to see how presenting you with a "criminal" EV 
cert would be relevant.

Tobi

More information about the Servercert-wg mailing list