← Back to context

Comment by realityking

16 hours ago

EV certs also showed the legal name of the company that requested the certificate - that was an advantage.

7 comments

realityking

Reply
duskwuff  15 hours ago

Which would have made sense if company names were unique - which they aren't. See e.g. https://groups.google.com/g/mozilla.dev.security.policy/c/Nj... for an example of how this was abused.

  • wbl  13 hours ago

    It was used correctly. What CAs wanted to sell wasn't something browsers wanted to support, and EV was the compromise. It just happens that what EV meant wasn't that useful irl.

    • crote  13 hours ago

      What's the alternative, showing the company's unique registration ID?

      CAs invented EVs because the wanted to sell something which could make them more money than DVs. The fact that company names aren't unique means that the whole concept was fundamentally flawed from the start: there is no identifier which is both human-readable and guaranteed to uniquely identify an entity. They wanted to sell something which can't exist. The closest thing we have got is... domain names.

      1 reply →

crote  13 hours ago

The problem is that people wrongly believe that company names are unique. In reality you're just some paperwork and a token registration fee away from a name clash.

If anything, it's a disadvantage. People are going to be less cautious about things like the website's domain name if they see a familiar-sounding company name in that green bar. "stripe-payment.com" instead of "stripe.com"? Well, the EV says "Stripe, Inc.", so surely you're on the right website and it is totally safe to enter your credentials...

  • dismantlethesun  11 hours ago

    In many countries, company names are unique to that country. And combined with country TLDs controlled by the nation-state itself, it'd be possible for at least barclays.co.uk to be provably owned by the UK bank itself when a EV cert is presented by the domain.

    In the US though, every state has it's own registry, and names overlap without the power of trademark protection applying to markets your company is not in.

    • roelschroeven  1 hour ago

      Are company names even unique within the UK? Sure, there can be only one bank named Barclays because of trademark laws, but can't there be a company in a different sector with the same name? Like Apple the computer business vs Apple the record company?

      Or don't you have small local businesses (restaurants, pubs, stores) with duplicate names as long as they're in different locations? I know here in Flanders we have, for example, tens if not more places called "Café Onder den toren" (roughly translated as "Pub beneath the tower"). Do all local businesses in the UK have different names?