[Servercert-wg] Displaying secure sites to Internet users

[Paul Walsh]

Hi Tobias,

I have answered your question below.

As promised, my participation will be kept to a minimum. If anyone disagrees with anything I say below, I’ll just accept that as a disagreement and not an invitation or request for me to reply with counter arguments. This is it for me on this subject :)


> On Nov 16, 2019, at 10:39 AM, Tobias S. Josefowitz <tobij at opera.com> wrote:
> 
> On Fri, 15 Nov 2019, Paul Walsh via Servercert-wg wrote:
> 
>>> On Nov 15, 2019, at 8:27 AM, Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org> wrote:
>>> 
>>> Additionally, do you have any suggestions on how to ensure the identities expressed in certificates today are reliable? We have ample evidence that the information presently expressed in EV certificates cannot be relied upon, and that the standards (such as the EV Guidelines) do not provide the necessary or sufficient guidance to ensure the information is reliable.
>> 
>> [PW] Again you ignore things being said because you either disagree or you dislike the people saying them. If you disagree with things being said by experts on this subject, you could at least reference them and use data points from which to show us where and how you draw opposing conclusions. At least then we can see why you say the things you say. Right now I see zero logic to anything you assert about browser UI - while also thinking you?re exceptionally articulate and smart in other technical areas.
>> 
>> You can start by pointing us to a single instance of when a criminal has setup a company and obtained an EV certificate for the purpose of carrying out criminal activity - feel free to go back as far as you like. Please don?t bother to point to researchers who did this for the purpose of showing that it can be done in theory. We all know it can be done in theory, as we?re all smart here. So this can be addressed separately.
> 
> Speaking of seeing logic, I cannot see how this would be relevant. You bring this up repeatedly, here and elsewhere, but I do not follow. Criminals not going to the trouble of getting EV certs for their undertakings could obviously be explained by a few things:
> 
> * It could simply be impossible.
> 
> The fact that researchers have done it shows us that it is not impossible, unless you would want to make the argument that there is something that enables researchers to do it that does somehow not apply to criminals.
> 
> * Criminals do not know about EV.
> 
> This is listed more for completeness, that argument is silly.
> 
> * It makes no economical sense for criminals to involve EV certificates.
> 
> I will boldly assume that everybody will agree this to be the true reason. Which in turn means a couple of things:
> 
> 1) EV badges, in all their changing forms over the recent years, do not
>   work, in the sense that, as in fact evidenced by the lack of EV
>   phishing campaigns etc., users will happily interact with non-EV-sites
>   in ways that are suitable to harm them significantly.
> 
> 2) You assume another component in the solution that I am not aware of,
>   which will be suitable to get users to stop happily interacting with
>   non-EV-as-you-would-like-to-see-it sites.
> 
> and furthermore
> 
> 3) It will not be economical, or be economical for criminals only to a
>   much lesser degree, to engage in such activity as you are concerned
>   with.
> 
> As has been pointed out, if 2+3) are the goal here, there could be ways of achieving that that do not even involve certificates whatsoever, somewhat putting in question if the CABF/SCWG is the right venue to discuss any such solutions to begin with.
> 
> Maybe even more important though, 2) is riddled with challenges, first and foremost the web has never been "pay to play" beyond a few relatively minor expenses required to put up a website, and any such solution for 2) should better not change that, as not having access to the solution would prevent hobbyists, enthusiasts, Open Source projects and maybe even small businesses from interacting with users in ways that could harm them (as by the supposed purpose of 2).
> 
> Thus, to reiterate, I fail to see how presenting you with a "criminal" EV cert would be relevant.

[PW] “EV is dead” and “website identity doesn’t work” are statements attributed to research that prove it's technically possible to trick the verification system. 

While I agree that it’s possible to trick the verification system, I disagreed with these statements. So, I asked the people making these statements for data points to lend insight to their conclusions. It wasn’t my intention to comment on the effectiveness of the current verification process, or past mistakes made by some CAs. 

MetaCert is the only company with a data set big enough to replace the need for EV - in theory. Yet, I’m here to assert that I believe browsers already make use of certificates and I fail to understand why CAs aren’t permitted to add whatever data they desire, to those certs. No evidence has been put forward to show that identity information inside a certificate puts any specific vendor or consumer at risk. 

If we look at food packaging, no harm has come to any company or consumer as a result of additional information being added to the label. While some consumers are happy with just the brand name, some want info on the sugar content, while others might want the calorie count. Some brands (Weight Watchers) go as far as to build a billion dollar business by focusing only on consumers that rely on the content label. The last statement can be said of identity - there are enough people to benefit to warrant our support.

I see certs in the same way as content labels…. Google, Opera and Mozilla might only want DV right now because they only care about encryption, but they might want additional information in the future - using the same cert makes most sense to me - why add time, complexity and cost by creating another cert? Other browsers and applications might want to make use of different information in certs for their own purpose. Some might want the VAT number for UK companies while others might want a certificate of good standing for Delaware companies. There’s no reason not to allow CAs to include all of this information in the same cert and allow third-parties to make use of whatever they desire. 

Why should CAs be told what not to include in their certs? 

I wrote about metadata being used to provide context around URIs in 2007 - using the analogy of food labels: https://web.archive.org/web/20080725055201/http://segala.com/blog/content-labels-explained-in-plain-english/ <https://web.archive.org/web/20080725055201/http://segala.com/blog/content-labels-explained-in-plain-english/>

Someone once said that browser extensions aren’t scalable, or there aren’t enough people who want to rely on site identity. Here’s an extension that’s being acquired for $4bn https://techcrunch.com/2019/11/20/paypal-to-acquire-shopping-and-rewards-platform-honey-for-4-billion/ <https://techcrunch.com/2019/11/20/paypal-to-acquire-shopping-and-rewards-platform-honey-for-4-billion/>

If a browser (extension) displayed website identity just for employees of government agencies, companies and educational entities (enterprise), we’d make a massive difference to internet safety for all of society. I won’t dive into this because I already gave all the data points from which I draw this conclusion on the CA Security Council website.

Thanks :)
- Paul



> 
> Tobi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191121/64f37c47/attachment.html>