| ▲ | realityking 14 hours ago |
| EV certs also showed the legal name of the company that requested the certificate - that was an advantage. |
|
| ▲ | duskwuff 13 hours ago | parent | next [-] |
| Which would have made sense if company names were unique - which they aren't. See e.g. https://groups.google.com/g/mozilla.dev.security.policy/c/Nj... for an example of how this was abused. |
| |
| ▲ | wbl 11 hours ago | parent [-] | | It was used correctly. What CAs wanted to sell wasn't something browsers wanted to support, and EV was the compromise. It just happens that what EV meant wasn't that useful irl. | | |
| ▲ | crote 11 hours ago | parent [-] | | What's the alternative, showing the company's unique registration ID? CAs invented EVs because the wanted to sell something which could make them more money than DVs. The fact that company names aren't unique means that the whole concept was fundamentally flawed from the start: there is no identifier which is both human-readable and guaranteed to uniquely identify an entity. They wanted to sell something which can't exist. The closest thing we have got is... domain names. | | |
| ▲ | duskwuff 8 hours ago | parent [-] | | The alternative would have been to have the CA use human judgement when approving EV certificates and reject applications from organizations whose names shadowed better-known firms, or to only accept applications from a select set of organizations (like, say, banks). But either of those possibilities would have increased the cost of the program and limited the pool of applicants, so CAs chose the cheap, easy path which led to EV certificates becoming meaningless. |
|
|
|
|
| ▲ | crote 11 hours ago | parent | prev [-] |
| The problem is that people wrongly believe that company names are unique. In reality you're just some paperwork and a token registration fee away from a name clash. If anything, it's a disadvantage. People are going to be less cautious about things like the website's domain name if they see a familiar-sounding company name in that green bar. "stripe-payment.com" instead of "stripe.com"? Well, the EV says "Stripe, Inc.", so surely you're on the right website and it is totally safe to enter your credentials... |
| |
| ▲ | dismantlethesun 9 hours ago | parent [-] | | In many countries, company names are unique to that country. And combined with country TLDs controlled by the nation-state itself, it'd be possible for at least barclays.co.uk to be provably owned by the UK bank itself when a EV cert is presented by the domain. In the US though, every state has it's own registry, and names overlap without the power of trademark protection applying to markets your company is not in. |
|
