[Servercert-wg] Displaying secure sites to Internet users

Tobias S. Josefowitz tobij at opera.com
Mon Nov 18 10:19:35 MST 2019 

Hi Christian,

On Mon, 18 Nov 2019, Christian Heutger wrote:

> Am 18.11.19, 16:32 schrieb "Tobias S. Josefowitz" <tobij at opera.com>:
>
>>    However there is nothing to suggest in the first place that pulling
>>    in the "standard legal" identity of organizations and persons would
>>    provide benefits over domain based identity.
>
> Exactly at this point I don't agree. It's such an ease to register a 
> domain name and there is up to no check at all, who is registering a 
> domain name. With international domains, subdomains looking as paths 
> etc. phishing, scamming and cybercrime activists are working well on 
> hiding or adopting domain "identity" (which also now lost any 
> corresponding whois data, which however also has been hidden before on 
> some cases). My suggestion is also going away from Entity names, as they 
> are not protected as well as trademarks. This ones are well known, well 
> protected and somehow well established in mind of the users.

Indeed this seems to be at the core of it.

There are various reasons why I do not see how this could actually 
improve the situation for web users in any significant ways, and in 
addition, also that it may not be practical to meaningfully implement.

In no particular order, starting with the trademarks:

Trademarks are generally awarded in certain categories only, and for 
certain jurisdictions or geographies. There can very well still be 
collisions, and even collisions that cannot be "solved" within the 
legal frameworks covering trademarks.

Obviously, there exist certain "super brands" which are simply just 
global, pretty much across all the categories, and are backed by legal 
departments and specialised consulting firms monitoring and "protecting" 
the trademark across the globe.

However, each of these superbrands is already engaged having domain names 
that are just as widely recognized as their brand anyway, and I would 
argue that there is little actual reason why they would need to resort 
their trademark - or legal entity - to communicate or prove their online 
identity to users. Yes, users fall for phishing, but that is not - in the 
general case - because they cannot tell that 
"web02.it.university.foreigntld/cgi-bin/paypal.php" is not actually the 
payment provider of their choice.

If we talked about legal entity identity as opposed to trademarks, I 
would, at this moment, not actually know the legal entity identity that 
the payment provider of said hypothetical user's choice would use to 
interact with me.

And that is for superbrands only. What about brands that do not enjoy this 
level of distinctability? What about the many businesses that do not even 
have a trademark? What about Open Source and volunteer projects, hobbyists 
and enthusiasts? Should they all register trademarks? Those of them that 
are not actually legal entities, should they need to become one? If a 
volunteer organization would use some "borrowed" identity, i.e. of a 
volunteer member taking care of their IT infrastructure or so, that would 
either prevent them from meaningfully interacting with the public if the 
public were successfully shifted to requiring trademarks or "matching" 
legal identity.

And then we need to consider that both holding trademarks and being a 
legal entity is connected with significant cost, cost that many 
organizations and individuals just cannot carry.

In addition, verifying such forms of identity is presumably going to be 
somewhat costly as it *possibly* is less suitable to automation.

It thus follows that either:

* Having trademarks, being a legal entity, and quite possibly going
   through somewhat expensive validation will become the gatekeeper
   mechanism, preventing everyone not having gone through that from
   meaningfully interacting with web users, a very grave consequence and
   fundamental change to how the web works today, and really not what I
   would be looking for when it comes to the development of the web, or
* Everyone still has the choice to forego all these procedures and i.e.
   continue using DV certificates and be able to interact (and scam and
   phish) users almost just as well.

Or TL;DR, it seems to me that:

* Trademarks are not a practical basis for implementing this since their
   is no uniqueness,
* The brands for which trademark based identity would work best should not
   techically need it,
* Implementation would either exclude the majority of parties
   participating in the web through hosting web sites and resources, or
* Leave everyone (attackers included) the option to opt out of the
   additional security/identity you propose we provide, when we even today
   know that users will interact with such sites in the presence of red
   flags that would be obvious to the users if only they so much as had one
   good look.

I realize that you may still see it differently and that I probably will 
in no way have convinced you of my perspective, but I do hope that this 
will serve to illustrate that the case for identity and UI is maybe not as 
clear-cut as you think it is, at least in other perspectives held entirely 
in good faith.

Tobi

More information about the Servercert-wg mailing list