[Servercert-wg] Displaying secure sites to Internet users
Tobias S. Josefowitz
tobij at opera.com
Mon Nov 18 10:19:35 MST 2019
Hi Christian,
On Mon, 18 Nov 2019, Christian Heutger wrote:
> Am 18.11.19, 16:32 schrieb "Tobias S. Josefowitz" <tobij at opera.com>:
>
>> However there is nothing to suggest in the first place that pulling
>> in the "standard legal" identity of organizations and persons would
>> provide benefits over domain based identity.
>
> Exactly at this point I don't agree. It's such an ease to register a
> domain name and there is up to no check at all, who is registering a
> domain name. With international domains, subdomains looking as paths
> etc. phishing, scamming and cybercrime activists are working well on
> hiding or adopting domain "identity" (which also now lost any
> corresponding whois data, which however also has been hidden before on
> some cases). My suggestion is also going away from Entity names, as they
> are not protected as well as trademarks. This ones are well known, well
> protected and somehow well established in mind of the users.
Indeed this seems to be at the core of it.
There are various reasons why I do not see how this could actually
improve the situation for web users in any significant ways, and in
addition, also that it may not be practical to meaningfully implement.
In no particular order, starting with the trademarks:
Trademarks are generally awarded in certain categories only, and for
certain jurisdictions or geographies. There can very well still be
collisions, and even collisions that cannot be "solved" within the
legal frameworks covering trademarks.
Obviously, there exist certain "super brands" which are simply just
global, pretty much across all the categories, and are backed by legal
departments and specialised consulting firms monitoring and "protecting"
the trademark across the globe.
However, each of these superbrands is already engaged having domain names
that are just as widely recognized as their brand anyway, and I would
argue that there is little actual reason why they would need to resort
their trademark - or legal entity - to communicate or prove their online
identity to users. Yes, users fall for phishing, but that is not - in the
general case - because they cannot tell that
"web02.it.university.foreigntld/cgi-bin/paypal.php" is not actually the
payment provider of their choice.
If we talked about legal entity identity as opposed to trademarks, I
would, at this moment, not actually know the legal entity identity that
the payment provider of said hypothetical user's choice would use to
interact with me.
And that is for superbrands only. What about brands that do not enjoy this
level of distinctability? What about the many businesses that do not even
have a trademark? What about Open Source and volunteer projects, hobbyists
and enthusiasts? Should they all register trademarks? Those of them that
are not actually legal entities, should they need to become one? If a
volunteer organization would use some "borrowed" identity, i.e. of a
volunteer member taking care of their IT infrastructure or so, that would
either prevent them from meaningfully interacting with the public if the
public were successfully shifted to requiring trademarks or "matching"
legal identity.
And then we need to consider that both holding trademarks and being a
legal entity is connected with significant cost, cost that many
organizations and individuals just cannot carry.
In addition, verifying such forms of identity is presumably going to be
somewhat costly as it *possibly* is less suitable to automation.
It thus follows that either:
* Having trademarks, being a legal entity, and quite possibly going
through somewhat expensive validation will become the gatekeeper
mechanism, preventing everyone not having gone through that from
meaningfully interacting with web users, a very grave consequence and
fundamental change to how the web works today, and really not what I
would be looking for when it comes to the development of the web, or
* Everyone still has the choice to forego all these procedures and i.e.
continue using DV certificates and be able to interact (and scam and
phish) users almost just as well.
Or TL;DR, it seems to me that:
* Trademarks are not a practical basis for implementing this since their
is no uniqueness,
* The brands for which trademark based identity would work best should not
techically need it,
* Implementation would either exclude the majority of parties
participating in the web through hosting web sites and resources, or
* Leave everyone (attackers included) the option to opt out of the
additional security/identity you propose we provide, when we even today
know that users will interact with such sites in the presence of red
flags that would be obvious to the users if only they so much as had one
good look.
I realize that you may still see it differently and that I probably will
in no way have convinced you of my perspective, but I do hope that this
will serve to illustrate that the case for identity and UI is maybe not as
clear-cut as you think it is, at least in other perspectives held entirely
in good faith.
Tobi
More information about the Servercert-wg
mailing list