Hacker News new | ask | show | jobs
by dbalan 2501 days ago
I don't have any solutions to your last statement, but one of the problem is that legal name of the entity matching doesn't really mean its the same entiy you think it is - the example ( also in the original page): https://stripe.ian.sh/
2 comments
herpderperator 2501 days ago
When I visit that page I don't see an EV banner in my Chrome, version 76.0.3809.100. It seems like I'm meant to according to the document?

Edit: I see, it says it was revoked. Well that makes sense:

> Edit (April 29th, 2018): This site no longer uses an EV certificate. Comodo arbitrarily revoked — without any notice — the first certificate, saying this site was made with the intent to mislead. GoDaddy issued us a new one on 04/11/2018, but revoked it later that day, stating that the site was fraudulent.

So OBVIOUSLY the CAs are trying (maybe not as hard as we'd hope) to make sure EV is used responsibly, so why kill EV? Why not just improve the process a little bit more to make it unlikely to give an EV cert that clearly intends to mislead?

> It is notable that neither company believes they mis-issued the certificate.

What? They clearly revoked both and specified the reason, so does that not make the mis-issuance implicit?

link
calebegg 2501 days ago
Comodo said the revocation was a mistake:

https://sectigo.com/blog/on-comodo-cas-recent-revocation-of-...

link
iancarroll 2501 days ago
(This is my site.)

Comodo has told me that they would give me a new certificate if I wanted. Unfortunately, tax complications in Kentucky mean the legal entity no longer exists. Feel free to replicate it, though :)

The definition of "mis-issuance" has some contention, but generally it means that the guidelines for issuing the certificate were violated (Baseline Requirements, EVGLs, etc). No guidelines/policies were violated for those certificates.

link
snowwrestler 2500 days ago
Corporate name collisions are not a problem that EV was intended to solve.

The point of an EV is that it ties TLS authentication back to a legal identity. Ian even helpfully points out that that the two "Stripe" companies, his and the famous payment company, have different corporate filings. He even links to them!

I would argue that this demonstrates, not disproves, the value of EV. A DV cert would not be traceable to any corporate filing at all.

link
eridius 2500 days ago
> The point of an EV is that it ties TLS authentication back to a legal identity. Ian even helpfully points out that that the two "Stripe" companies, his and the famous payment company, have different corporate filings. He even links to them!

But that doesn't matter. The whole point of EV was that users would see the name in the address bar and trust it. If the model requires users to click through and read the details of the corporate filings, then EV was already a failure before it began.

link
snowwrestler 2500 days ago
> The whole point of EV was that users would see the name in the address bar and trust it.

This is not the point of EV. That's what I'm trying to say here.

It's obvious this would never be 100% reliable because sometimes the corporation has a different (lesser known) name from the popular product, and sometimes company names are similar.

The idea that EV only works if consumers 100% recognize and trust every possible green name is a strawman that was propped up to be knocked down.

link
eridius 2500 days ago
But it literally is the selling point. If customers aren't expected to see the green text in the status bar and implicitly trust it, then EV has no value whatsoever. Because 0.00000001% of people will actually click through to see anything past the company name. Hell, I don't even have the slightest clue how to see the corporate filings. When I click through to see chase.com's certificate all I know is it's a company "JPMorgan Chase and Co." in NYC and it was issued by something called "Entrust, Inc."
link