I don't want this to end badly for you (via CertSimple), but as you perhaps come to anticipate my primary concern is always preventing Future Harm. EV hasn't been effective for that purpose.
The article I've just read never uses the phrase "the true meaning of SSL certificates" that I can see, if that was removed I apologise but otherwise I think I have to assume you're putting words in Troy's mouth.
"The certificate fields for organisation, city, etc have existed and were expected to be verified since SSL was created in the nineties. Anyone who has ever made a CSR knows this."
Anyone who understands what's actually going on here knows that these are part of the X.500 directory system and are present in Netscape's SSL because it leverages that systems's X.509 certificate format. In 1999 PKIX (RFC 2459) proposes how to use this system sensibly with the Internet and the modern Web PKI largely falls out of that and its successor documents.
Prior to the CA/B Forum (and the creation of Extended Validation) the only promises you had about what, if anything, in certificates you relied on had been "verified" and to what extent, was written in the legal documents of the issuing CA. In most cases they disclaimed all or almost all responsibility to the extent possible. Their methods were... unsound.
Even today, when if you run Firefox (or more or less, Android) you can actually trust that someone cares whether the validation was done properly, it's more slip-shod than any of us should want. What has Certinomis been up to for the past few years? What are all these certificates doing with ST=Some-State (yes, literally the words "Some-State", because that's the default in OpenSSL)? or L=Default City (again, the default in OpenSSL)?
I think we can reasonably conclude that the reason nobody engaged with my questions about those is that the answers would be embarrassing and they're hoping that if they stay quiet nobody will follow up by asking why they're filling this crap out (to make money) if they can't validate it properly...
> Frankly, I think this is more a symptom of people coming to grips with the true meaning of SSL (or TLS)
I did add 'certificates' so it read better (the system is PKI not SSL) but yes it's from the article.
Yep, they're x509v3 fields. Netscape was under no obligation to include them - they simply could have included CN only if they thought people didn't want to know the organisation they were communicating with.
However Organisation was included by Netscape and it was verified until GeoTrust invented DV (and later other CAs copied it to compete with the low margins of not checking identity. Totally agreed about the poor quality of verification during the 90s though (fax on company letterhead etc).
The one thing that hasn't changed in 20 years is that people still want to know who they're communicating with online.
(DC would also provide a tree structure if Netscape had wanted to use domain names as the exclusive form of identification - but they didn't. The objection was to verify enough information for commerce, which domain names clearly do not)
The article I've just read never uses the phrase "the true meaning of SSL certificates" that I can see, if that was removed I apologise but otherwise I think I have to assume you're putting words in Troy's mouth.
"The certificate fields for organisation, city, etc have existed and were expected to be verified since SSL was created in the nineties. Anyone who has ever made a CSR knows this."
Anyone who understands what's actually going on here knows that these are part of the X.500 directory system and are present in Netscape's SSL because it leverages that systems's X.509 certificate format. In 1999 PKIX (RFC 2459) proposes how to use this system sensibly with the Internet and the modern Web PKI largely falls out of that and its successor documents.
Prior to the CA/B Forum (and the creation of Extended Validation) the only promises you had about what, if anything, in certificates you relied on had been "verified" and to what extent, was written in the legal documents of the issuing CA. In most cases they disclaimed all or almost all responsibility to the extent possible. Their methods were... unsound.
Even today, when if you run Firefox (or more or less, Android) you can actually trust that someone cares whether the validation was done properly, it's more slip-shod than any of us should want. What has Certinomis been up to for the past few years? What are all these certificates doing with ST=Some-State (yes, literally the words "Some-State", because that's the default in OpenSSL)? or L=Default City (again, the default in OpenSSL)?
I think we can reasonably conclude that the reason nobody engaged with my questions about those is that the answers would be embarrassing and they're hoping that if they stay quiet nobody will follow up by asking why they're filling this crap out (to make money) if they can't validate it properly...