[tialaramex]

> Back when certificates were issued manually, a CA was also verifying that the requesting party was actually who they were claimed to be IRL

I see. For say, the Bank of America, how did you imagine this working? The CA maybe has a guy fly to BoA headquarters, meet up with the CEO and chairman, and then sign off on the certificate? Wait, one guy isn't really much assurance is it. So I guess they'd need a whole team of people to be sure, jetting around the world, meeting up with the senior leadership of companies and checking their bonafides.

Do I need to tell you it wasn't actually like that?

> hence EV certificates and all that.

EV comes into existence as part of a deal between the Certificate Authorities and the Browser vendors back when desktop PCs were very important. They each want different things, and the resulting compromise leads to the Baseline Requirements and the CA/B Forum.

What the browsers want, and get, is actual validation for all certificates. I know, that sounds like a low bar, but that's how bad things had gotten. The CA/B BRs don't initially even specify how the validation should work, that takes until the "Ten Blessed Methods" a few years ago.

What the CAs want, and get, is desktop browser UI dressing that makes their most expensive certificates look cool under the name "Extended Validation". The browsers can't and don't promise this is a good idea, but it keeps CA bottom lines healthy which is important to them as markets open up and prices fall.

Now it turns out that the CA/B and BRs are a useful ratchet on overall validation and security practices and, probably, overall this benefits the Browsers (who by now are effectively the OS vendors, with Mozilla standing in for the Free Unixes) more than the CAs. But arguably it also benefits the CAs because with weak validation the whole thing is useless, and they go out of business anyway.

[xg15]

> The CA maybe has a guy fly to BoA headquarters, meet up with the CEO and chairman, and then sign off on the certificate?

I assume the BoA doesn't require their CEO to personally meet with every subcontractor that BoA gets into a business relationship with. You have employees for that?

Why would working with a CA be any different then, say, hiring an attorney or opening a bank account?

[tialaramex]

Well this is a fun game though isn't it. If a firm of lawyers sues you "on behalf of Bank of America", at what point do you feel like they didn't check properly who their client was and so they are responsible for the bogus lawsuit and the resulting costs not this enormous corporation?

If only the manager of a local BoA branch told them they were hired?

How about if it's an assistant manager?

How about if rather than meeting them in the branch, the supposed assistant manager was in the area and so dropped in to the law office in person?

The attorneys weren't available, so, they did a Zoom call?

Just a phone call?

Actually it was an email.

At some point, you realise, wait, they didn't actually validate anything of value here did they, anybody could be this supposed "Bank of America". And the reality is that PKIX certificates began that slide essentially immediately, before even the PKIX working group was set up.

And this is only half of the problem. It's easy for Bank of America because we're both thinking of the same entity, but "Big Bob's" might be a burger restaurant in your city, a private security firm in mine, and an LA law firm, so a certificate for "Big Bob's" doesn't even "validate" a name we're agreed on. That's why DNS ends up mattering, the DNS offers a single global namespace.

[xg15]

Come on, that's not how it works. There are specific, well-defined circumstances that define what a particular legal entity (such as a company or a corporation) is and who may or may not act on its behalf.

Otherwise, any kind of company could escape responsibility by simply pretending it doesn't exist and every employee just acted on their own.

[tialaramex]

But which one is "not how it works" ?

As I said, for the DNS validation we actually have pretty specific technical rules today, the "Ten Blessed Methods" (well, their modern successors) which is why we're talking about one of those methods here (tls-alpn-01 is method 3.2.2.4.20)

Today there are rules for EV but they're understandably vague, because they're talking about the problem we addressed above, eventually they get down this idea of a "Principal Individual" which can include "an employee" who is merely "authorised to conduct business" on behalf of (in our example) Bank of America and of course you're back to square one. How can we know they're authorised ?

The trick in the DNS validation is that we're asking a question machines could potentially have an authoritative answer to. Does this applicant control this DNS name. Not "Should they?". Not to "Are they authorised?" but specifically do they control it.

The non-DNS validation can't do that.