Hacker News new | ask | show | jobs
by crote 80 days ago
> which could easily be fixed by a policy change

It can't. Nothing is guaranteeing that organization names are globally unique, so getting an EV cert for a conflicting org name will always be possible. Well-known counterexamples are Apple (Beatles or tech company?), Nissan (computer repair guy, or car maker?), and Microsoft/MikeRoweSoft (some guy named Mike Rowe, or software giant from Redmond?).

Unless you're willing to retroactively cancel a massive number of trademarks, EVs with human-readable company names are not going to happen. The best you can do is some kind of unique company id, but who's going to check that "US0378331005" is the right one?
2 comments
ocdtrekkie 80 days ago
This is actually not hard for most cases: Add a flag next to the name.

The other thing people don't realize is that cost is a huge mitigator: EV certs costing money makes them not worth using for an exploit.

link
Kwpolska 80 days ago
A flag of the country? Each US state has its own company register. A flag of the US state? Who is going to remember which company is incorporated where? Can you tell US state flags apart when they’re scaled down to a height of ~20 px?
link
ocdtrekkie 79 days ago
This is kinda looking for loopholes not recognizing the core reality of the situation. In addition to EV certs having a cost, you likely have to have a DUNS number which is globally unique, and that is a registry which can appropriately attribute you to a given country.

Is there many a hypothetical scenario where you could register a business, get a DUNS number, go through EV verification, be situated in the same country, somehow nobody stops you from registering an additional company called Microsoft?

...Maybe. And after spending a decent amount of money and leaving a massive trail of breadcrumbs to your identity with several different institutions, you will get sued, arrested, or both.

Meanwhile anyone can get a free Let's Encrypt cert for mlcrosoft.cn.

link
Kwpolska 80 days ago
Also, legal names of companies can sometimes not match the well-known brand, making it harder to decide if the EV cert was issued for the correct company.
link