[Bitcoin-development] BIP70 implementation guidance

Roy Badami roy at gnomon.org.uk
Fri May 2 20:41:47 UTC 2014 

> *Extended validation certs*
> 
> When a business is accepting payment, showing the name of the business is
> usually better than showing just the domain name, for a few reasons:
> 
>    1. Unless your domain name *is* your business name like blockchain.info,
>    it looks better and gives more info.
> 
>    2. Domain names are more phishable than EV names, e.g. is the right name
>    bitpay.com or bit-pay.com or bitpay.co.uk?
> 
>    3. More important: Someone who hacks your web server or DNS provider can
>    silently get themselves a domain name SSL cert issued, probably without you
>    noticing. Certificate transparency will eventually fix that but it's years
>    away from full deployment. It's much harder for a hacker to get a bogus EV
>    cert issued to them because there's a lot more checking involved.
> 
> EV certs still have the domain name in the CN field, but they also have the
> business name in the OU field.

Well, many certs have something in the O field.  That has nothing to
do with EV - EV just mandates a particular set of validation
requirements.

> 
> In theory we are supposed to have extra code to check that a certificate
> really was subject to extended validation before showing the contents of
> this field. In practice either bitcoinj nor Bitcoin Core actually do, they
> just always trust it. It'd be nice to fix that in future.

I agree that blindly showing the O field may not be ideal - there
*may* conceivably be some CAs that include it without validation on
their cheap certs (although most cheap certs simply don't include it).
But it's not clear that EV or not is the right criterion here - there
are certainly non-EV certs out there that are organisation validated.
 
> You should show the organisation data instead of the domain name if you
> find it, for EV certs.

I have really mixed feelings about giving this privileged treatment
exclusively to EV certs, for the simple reason that the rules around
EV certs are iniquitous and some businesses are excluded.

e.g. in the UK sole traders (that is, unincorporated businesses) can't
get EV certs because the UK doesn't maintain a trade register of such
businesses and therefore such businesses are incapable of satisfying
the EV rules.

That said, EV certs are here, now, and (sadly) supporting them is
better than doing nothing...

roy

More information about the bitcoin-dev mailing list