> On Jul 22, 2020, at 23:56, Luis E. Muñoz <sa@lem.click> wrote: > > On 22 Jul 2020, at 23:14, Kevin A. McGrail wrote: > >> However, I have questions of adoption rate, impersonation concerns, >> anticompetitive concerns, and privacy concerns. This just sounds like a >> commercial tracking pixel but the devil is in the details. >> >> The pilot will shake things out more I imagine. > > Money is of course a motivation here. This breathes some fresh air to CAs and > opens the possibility to a few new interesting revenue streams for all the > parties. > > I'm not sure on the potential for user tracking although I haven't read the > material deep enough. > > The adoption will depend greatly on the price for the new certificates that > will have to go with this service. I think a wait-and-see approach is the > right thing to do here. This is what I'm advising others to do on this topic. > > Impersonation will of course be a very interesting topic. I looked at it briefly for *dayjob* because of the lunatics that email us trying to claim we have a bug bounty because we don't do it. (Just like the ones that tell us robots.txt is an XSS issue. Yes, really.) It looks like the price for one of the CA's to do this is $2500 *per year*. And the image you're linking has to be registered as your actual trademark for your actual organization -- so there could not, for example, be my personal logo in there since it's not a registered trademark. (We need those CA's to do something with the money they were making on EV certs for the "green browser bar" after all!) From there, the certificate either embeds the svg, or it links to it, but I think the preference is that it be an embed. -Dan
