undefined | Better HN

0 pointsgruez8y ago0 comments

but in this case, what is Comodo supposed to do? For a generic name such as "stripe", are other (less famous) "stripe" companies, are they out of luck if they want a EV certificate?

0 comments

4 comments · 1 top-level

pishpash8y ago· 3 in thread

Maybe it's time to put all the certification documentation into the certificate so they can be retrieved and viewed by anyone. Registration, signatures, payments, proofs, etc. Why does only the CA get to see it? Everyone should be able to see.

tialaramex8y ago

Depending on the certificate, this could be quite a lot of data, the certificate is delivered on every new connection, right now they're commonly a kilobyte or so of data.

For a typical DV certificate, maybe the CA has done 3.2.2.4.6, so they have a log showing the DNS look-up they did from first principles (so it's the whole thing from the root, not just a cached single entry), then the HTTP transaction, with the Request Token inside it, and they've matched the Request Token against the expected value. That could easily be several kilobytes. The CA is required to store this, but burning it into the certificate is extra data all so that what, one person in a million can look at it, and go "Eh, that looks roughly like I'd expect" ?

For an EV certificate there's going to be stuff they found in a government data source, then the stuff from Dun & Bradstreet, then... what maybe a WAV file of a phone call to the number listed in D&B? PDF scans of headed notepaper? And it tells you... somebody, somewhere said this was fine. So what?

As I've stated on m.d.s.policy the ability to make companies in the US and UK that can't be traced back to their real owners without a heroic effort by law enforcement is not a bug it's a feature. Your government (if you live in the UK, the US, or even arguably the EU) tacitly supports the dirty business done by this route so long as they're able to disclaim any knowledge it's going on.

pishpash8y ago

You can send it through a secondary query, not in the initial cert, so only if the user looks it up. It should be a supported possibility though. As for what you get out of it, that's okay, have it match meatspace level first, not trying to fix the world.

tinus_hn8y ago

The information you need is in the certificate. The problem is it doesn’t fit in the UI.

j / k navigate · click thread line to collapse