[Servercert-wg] Displaying secure sites to Internet users

Christian Heutger ch at psw.net
Mon Nov 18 09:09:36 MST 2019


see my answer inline.


Am 18.11.19, 16:32 schrieb "Tobias S. Josefowitz" <tobij at opera.com>:

    Hi Christian,
    On Mon, 18 Nov 2019, Christian Heutger via Servercert-wg wrote:
    > Problem statement: UI elements currently missing additional information 
    > on site operator supporting phishing, scamming and cybercrime
    I take it that this all seems very clear to you and that you have 
    apparently very little doubt about this.
    I follow in so far as that if, for example:
    * The user was clearly and reliably presented which entity or person he is
       interacting with,
    * The user knew which entity or person he intends to interact with,
    * The user were able to tell if these two identities match - or not,
    * The user knew which entities or persons would reliably use the kind of
       certificates that carry the suggested notion of identity and which do
    it would be harder to pull off various criminal campaigns including 
    phishing and scamming, indeed.
    However there is nothing to suggest in the first place that pulling in the 
    "standard legal" identity of organizations and persons would provide 
    benefits over domain based identity.

Exactly at this point I don't agree. It's such an ease to register a domain name and there is up to no check at all, who is registering a domain name. With international domains, subdomains looking as paths etc. phishing, scamming and cybercrime activists are working well on hiding or adopting domain "identity" (which also now lost any corresponding whois data, which however also has been hidden before on some cases). My suggestion is also going away from Entity names, as they are not protected as well as trademarks. This ones are well known, well protected and somehow well established in mind of the users.
    Presentation of domain based identity has issues, somewhat more 
    fundamental ones like homograph attacks, plus the risk of mis-issuance for 
    a whole wealth of possible reasons. Users somewhat regularly fail to 
    properly match domain based identity of the site they are interacting 
    with, or to know which site they in fact want/should interact with.
    These issues would apply one to one to identity as f.x. captured in 
    (current) EV certificates, or at the very least I fail to see any 
    possible mechanism that would make these issues apply to domain based 
    identity only.
    > Solution: Work on reliable standards, audit scheme and UI elements
    I am terribly sorry top say, but considering the problem statement you 
    gave and my thoughts as outlined above, I really do not think we just need 
    to "Work on reliable standards, audit scheme and UI elements", and would 
    then be done with, if not 100%, some significant fraction of the problem.

There is always still room for improvement, but it's a good first step, the required underlying techniques have already been established and accepted, it "just" needs improvement instead of reinventing the wheel.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3860 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191118/9b37d1c0/attachment.bin>

More information about the Servercert-wg mailing list