📅 Original date posted:2014-05-02
📝 Original message:> *Extended validation certs*
>
> When a business is accepting payment, showing the name of the business is
> usually better than showing just the domain name, for a few reasons:
>
> 1. Unless your domain name *is* your business name like blockchain.info,
> it looks better and gives more info.
>
> 2. Domain names are more phishable than EV names, e.g. is the right name
> bitpay.com or bit-pay.com or bitpay.co.uk?
>
> 3. More important: Someone who hacks your web server or DNS provider can
> silently get themselves a domain name SSL cert issued, probably without you
> noticing. Certificate transparency will eventually fix that but it's years
> away from full deployment. It's much harder for a hacker to get a bogus EV
> cert issued to them because there's a lot more checking involved.
>
> EV certs still have the domain name in the CN field, but they also have the
> business name in the OU field.
Well, many certs have something in the O field. That has nothing to
do with EV - EV just mandates a particular set of validation
requirements.
>
> In theory we are supposed to have extra code to check that a certificate
> really was subject to extended validation before showing the contents of
> this field. In practice either bitcoinj nor Bitcoin Core actually do, they
> just always trust it. It'd be nice to fix that in future.
I agree that blindly showing the O field may not be ideal - there
*may* conceivably be some CAs that include it without validation on
their cheap certs (although most cheap certs simply don't include it).
But it's not clear that EV or not is the right criterion here - there
are certainly non-EV certs out there that are organisation validated.
> You should show the organisation data instead of the domain name if you
> find it, for EV certs.
I have really mixed feelings about giving this privileged treatment
exclusively to EV certs, for the simple reason that the rules around
EV certs are iniquitous and some businesses are excluded.
e.g. in the UK sole traders (that is, unincorporated businesses) can't
get EV certs because the UK doesn't maintain a trade register of such
businesses and therefore such businesses are incapable of satisfying
the EV rules.
That said, EV certs are here, now, and (sadly) supporting them is
better than doing nothing...
roy
Roy Badami [ARCHIVE] /
npub1tr…0f95j
2023-06-07 15:20:51
in reply to nevent1q…pys5
Author Public Key
npub1trckpcxmceskq4cykxgwxm63n8ugrjrpu5mk83c90e4upsf7d9gqf0f95jPublished at
2023-06-07 15:20:51Event JSON
{
"id": "ad94f0529fd8673832bdfc5e6adf36f264205131ba3ff4c33823d0c9c2b428f4",
"pubkey": "58f160e0dbc661605704b190e36f5199f881c861e53763c7057e6bc0c13e6950",
"created_at": 1686151251,
"kind": 1,
"tags": [
[
"e",
"18d7a459c6375e1279e5433315817afbc919515fa0d8b86acb29267633f13eef",
"",
"root"
],
[
"e",
"170135daa898791f1987c52cce2df73f7c448b7cf65b2d759f6a0584ea793818",
"",
"reply"
],
[
"p",
"3a24ce2145c5488aebfb0fc113e7d44234e9d3733afa45e2d880eb259c3eade3"
]
],
"content": "📅 Original date posted:2014-05-02\n📝 Original message:\u003e *Extended validation certs*\n\u003e \n\u003e When a business is accepting payment, showing the name of the business is\n\u003e usually better than showing just the domain name, for a few reasons:\n\u003e \n\u003e 1. Unless your domain name *is* your business name like blockchain.info,\n\u003e it looks better and gives more info.\n\u003e \n\u003e 2. Domain names are more phishable than EV names, e.g. is the right name\n\u003e bitpay.com or bit-pay.com or bitpay.co.uk?\n\u003e \n\u003e 3. More important: Someone who hacks your web server or DNS provider can\n\u003e silently get themselves a domain name SSL cert issued, probably without you\n\u003e noticing. Certificate transparency will eventually fix that but it's years\n\u003e away from full deployment. It's much harder for a hacker to get a bogus EV\n\u003e cert issued to them because there's a lot more checking involved.\n\u003e \n\u003e EV certs still have the domain name in the CN field, but they also have the\n\u003e business name in the OU field.\n\nWell, many certs have something in the O field. That has nothing to\ndo with EV - EV just mandates a particular set of validation\nrequirements.\n\n\u003e \n\u003e In theory we are supposed to have extra code to check that a certificate\n\u003e really was subject to extended validation before showing the contents of\n\u003e this field. In practice either bitcoinj nor Bitcoin Core actually do, they\n\u003e just always trust it. It'd be nice to fix that in future.\n\nI agree that blindly showing the O field may not be ideal - there\n*may* conceivably be some CAs that include it without validation on\ntheir cheap certs (although most cheap certs simply don't include it).\nBut it's not clear that EV or not is the right criterion here - there\nare certainly non-EV certs out there that are organisation validated.\n \n\u003e You should show the organisation data instead of the domain name if you\n\u003e find it, for EV certs.\n\nI have really mixed feelings about giving this privileged treatment\nexclusively to EV certs, for the simple reason that the rules around\nEV certs are iniquitous and some businesses are excluded.\n\ne.g. in the UK sole traders (that is, unincorporated businesses) can't\nget EV certs because the UK doesn't maintain a trade register of such\nbusinesses and therefore such businesses are incapable of satisfying\nthe EV rules.\n\nThat said, EV certs are here, now, and (sadly) supporting them is\nbetter than doing nothing...\n\nroy",
"sig": "95b69a390123730476066a9652040f3b137a56a54deac715bead66b3ad88491e66e7b56bba8e3d94fbd3b453237072e96d019ed7db03b949113e973e2db8f3df"
}