(no title)

"I found what looks like a flaw in a system but I didn't try to exploit it for real, look how clever I am"

So his mate registered a company with the same name as another company and got an EV cert. Well done. Everyone knew that was possible already, at least everyone who has gone through the process. It doesn't matter much:

1. Ian wasn't actually a phisher or criminal. If he had been, and had used that EV cert to phish Stripe customers, he'd have been reported to the police using the details from the CA and possibly prosecuted. Bear in mind he had to register a company in the USA, not Kazakhstan.

2. Therefore in reality it is very rare for phishers to use EV SSL certificates. Actually I've never seen it.

So is this a demo that the system is horribly flawed? I don't think so. It's rather similar to people who send 10 spams to some accounts they just registered themselves and claim they've found a way to beat a spam filter so the whole thing is useless ... well, no, you weren't actually a spammer so the filter did the right thing. You're testing a flaw you think sounds realistic but isn't. Another common case of this, someone who beats a DRM system on a game 6 months after it was released and then talks about how useless copy protection is, not realising that after 6 months almost all sales happened already so the system worked just fine from the developers perspective.

What about revocation? Is the CA exercising undue control here? Probably not. CAs have language in the contracts you agree to at the time about how you're not trying to misrepresent yourself as if you were someone else. Ian's argument that he registered a name that happens to be identical to a well known payment processor, but in another state, is technically correct, which is of course the best kind of correct. But the underlying purpose was clearly impersonation, which is a violation of the agreements and thus not only grounds for revocation, but to not do so would rather undermine the whole system - why should Ian get away with it when others do not?

If stripe.ian.sh had been an actual operating company that happened to have experienced an unfortunate naming conflict with the other Stripe, I bet the CAs would not have revoked. They'd have found some reasonable solution - probably by letting the cert continue, on the grounds that no malicious behaviour was taking place in violation of the agreements. But it wasn't - it was just a dummy site.

Overall I don't understand Scott or Ian's point. Yes, legal names aren't globally unique. Did anyone think they were? Yes, Chrome's EV UI is rubbish and the big players other than Apple tend to have an institutional dislike of EV certs because of historical clumsy attempts at market segmentation pricing by CAs, that were totally unreasonable for companies with lots of servers. Yes, EV is imperfect.

The alternative though is paypal-customer-centerr.com ... which is better, how, exactly? It isn't.

If Scott Helme or Ian Carroll don't like how EV works today, why not go find actual criminal abusers and propose specific improvements that would stop them - perhaps making Chrome's address bar work more like Safari's. Otherwise this is just another blog pointing out security stuff that doesn't really matter.