Published on: 2014-05-04T13:06:29+00:00
The article discusses the issue of unincorporated businesses or sole traders in the UK being unable to obtain Extended Validation (EV) certificates due to the absence of a trade register. However, this is not seen as a significant concern as they can still trade under their name, email address, domain name, or telephone number if an SMS verifying Certificate Authority (CA) is set up. The purpose of EV certificates is to avoid confusion and ensure payments are directed to the correct entity. Companies that are unable to obtain EV certificates may indirectly cause confusion among users and make them uncertain about payment expectations, potentially making it easier for confusion attacks to occur. Nevertheless, this is expected to be a minor issue in practice.The importance of showing a business name instead of just the domain name for better identification and security purposes is discussed. Domain names are more susceptible to phishing attacks compared to EV names, making it harder to distinguish between legitimate and fake websites. Hackers can also obtain a domain name SSL certificate without being easily detected. On the other hand, EV certificates involve more checks, making them more difficult for hackers to obtain. EV certificates have the domain name in the CN field and the business name in the OU field. However, there is currently no code to verify if a certificate has undergone extended validation before displaying its contents. The article suggests showing the organization data instead of the domain name if available for EV certificates. Despite the inequitable rules around EV certificates, supporting them is still considered better than taking no action.The email thread discusses the implementation and issues associated with BIP70, a payment protocol used in Bitcoin transactions. One of the concerns raised is error handling during signature checking. It is suggested that if Public Key Infrastructure (PKI) checking fails, the request should be treated as unsigned. This is because there is no incentive for an attacker to break the signature when they can simply remove it entirely. Signature checking failure can also occur when someone signs their request with an unknown CA or uses an upgraded version of the protocol that is not entirely backwards compatible. To allow for the introduction of new (possibly community-run) CAs or new variations on signing, any errors should be treated as if there was no signature at all. Additionally, wallets lack context compared to browsers, so graphical user interfaces (GUIs) should train users to expect signed payment requests. It is recommended to show the recipient name in the future and instruct users not to proceed if it does not appear. The discussion also touches on the use of extended validation certificates, which display the business name instead of the domain name, making them less susceptible to phishing attacks. However, bitcoinj and Bitcoin Core do not currently have code in place to verify if a certificate has indeed undergone extended validation before displaying the organization data field. The email also emphasizes the proper handling of different types of certificates, such as S/MIME certs, and stresses the importance of testing, providing a test site for payment requests on the main network. Lastly, memo contents should contain useful information about the purchase or the merchant's name. Expiry times should not be overly aggressive as some users may need to coordinate payments from multi-party accounts.In conclusion, the implementation of BIP70 has several important considerations that need to be addressed. These include improving error handling during signature checking, showing the business name instead of just the domain name for better identification and security, properly handling different types of certificates, and providing useful memo contents. Despite the limitations and issues discussed, supporting extended validation certificates is still seen as a step in the right direction.
Updated on: 2023-08-01T09:10:26.184403+00:00