Re: EV hack

We discussed this at length in the f2f (Oslo?). I strongly oppose changing
this. If DV is not relaible for DV then it needs to be fixed. I for one am
not ready to say it's EV or nothing.

2009/5/19 <michael.mccormick@wellsfargo.com>

>  Friends,
>
> Many of you are no doubt aware of green bar spoofing attacks against EV SSL
> indicators like this one:
> *http://www.theregister.co.uk/2009/03/28/ev_ssl_spoofing/*<http://www.theregister.co.uk/2009/03/28/ev_ssl_spoofing/>
>
> Agents could prevent this in most cases by requiring all displayed content
> to be AA secured (not just top level document) before displaying the AA
> indicator.  In private discussions with Wells, one browser manufacturer has
> already agreed to do exactly this in a future release.
>
> Section 5.3 of WSC-UI (current working draft) says:
>
> A Web User Agent that can display an AA indicator MUST NOT display this
> indicator unless all elements of the page are loaded from servers presenting
> a validated certificate, over strongly TLS-protected interactions.
>
> This helps mitigate the spoof risk, but I urge you to add a statement such
> as:
>
> A Web User Agent that can display an AA indicator SHOULD NOT display this
> indicator unless all elements of the page are loaded from servers presenting
> an Augmented Assurance Certificate (AAC) over strongly TLS-protected
> interactions.
>
> Regards, Mike
>
> *Michael McCormick,** **CISSP*
> Lead Architect
> Strategic Information Security Architecture
> Wells Fargo Bank
> “THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS
> FARGO"
> *This message may contain confidential and/or privileged information.  If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein.  If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message.  Thank you for your cooperation.*
>
>
>
>