[Servercert-wg] Displaying secure sites to Internet users

Tobias S. Josefowitz tobij at opera.com
Mon Nov 18 08:32:20 MST 2019 

Hi Christian,

On Mon, 18 Nov 2019, Christian Heutger via Servercert-wg wrote:

> Problem statement: UI elements currently missing additional information 
> on site operator supporting phishing, scamming and cybercrime

I take it that this all seems very clear to you and that you have 
apparently very little doubt about this.

I follow in so far as that if, for example:

* The user was clearly and reliably presented which entity or person he is
   interacting with,
* The user knew which entity or person he intends to interact with,
* The user were able to tell if these two identities match - or not,
* The user knew which entities or persons would reliably use the kind of
   certificates that carry the suggested notion of identity and which do
   not,

it would be harder to pull off various criminal campaigns including 
phishing and scamming, indeed.

However there is nothing to suggest in the first place that pulling in the 
"standard legal" identity of organizations and persons would provide 
benefits over domain based identity.

Presentation of domain based identity has issues, somewhat more 
fundamental ones like homograph attacks, plus the risk of mis-issuance for 
a whole wealth of possible reasons. Users somewhat regularly fail to 
properly match domain based identity of the site they are interacting 
with, or to know which site they in fact want/should interact with.

These issues would apply one to one to identity as f.x. captured in 
(current) EV certificates, or at the very least I fail to see any 
possible mechanism that would make these issues apply to domain based 
identity only.

> Solution: Work on reliable standards, audit scheme and UI elements

I am terribly sorry top say, but considering the problem statement you 
gave and my thoughts as outlined above, I really do not think we just need 
to "Work on reliable standards, audit scheme and UI elements", and would 
then be done with, if not 100%, some significant fraction of the problem.

Tobi

More information about the Servercert-wg mailing list