to be frank, I'd say that judge knows nothing. the Protection measures, like encryption need keys, these are bot included, so yuzu cannot exactly bypass them. you need to get the keys to decrypt the roms.
Also ov/ev isn't something a person can get. I mean it might already help for some personal sites if they can be tied to other pseudonyms the user has online so for example sites of more or less well known open source software could get a link to the github or whatever into the cert to directly bind the dev of that software to his website, without having to know who is behind that.
The identity problem is always fun. I mean i don't care who someone is in real life, i only wanna know whether i have the site by the same individual who made something else.
That can be easily and automatically verified (see keybase) and might be more than enough for a lot of things where there are only normal people involved.
It might also be helpful of a given company is more commonly known behind another online entity. Like for example if pewdiepie had a company which he uses for what he does, the link to his yt would be a much greater indicator of validity than some random company name or even his own real name (which not everyone may know).
For pure DVs i think they should be able to issue them themselves. I mean the only thing those prove is domain control and with dnssec+tlsa there's a great way that domain owners can prove that they are in control of the domain and aurhorize a cert, also this lowers the number of trust paths significantly as there is only one possibly trust path over the TLD, and not like 150 CAs from who knows where. Also both the domain owners and the users have less entities they have to trust, as the TLD managers have to be trusted anyway as they ultimately have the full control of their domains,and thereby could make a DV cert themselves over the CAs anyway.
I always thought code signing was a class of its own (especially since i also saw the names of people in those, which directly contradicts EV as ev cannot be obtained by people, only legal entities like companies or govs or whatever) but okay.
EVs and security is a fun topic, including obvious sarcasm. They generally are more secure for 3 reasons:
1) hardfail on revocation checks
2) you can't get around any errors generated by an EV
3) you can't fake them by truststore manipulation (except ie and maybe edge) as the ev roots are hard compiled into the browser and not dependent on the external trust store.
Validation would have been a 4th reasons if it wouldn't be for all the obvious problems with it especially lately.
The problem is what people imply or are made to imply from different cert types.
Back in the day people were told to just check for the lock, which obviously is dumb considering now everyone can get a dv for free.
Then with EV CAs told people that sites with ev are more trustworthy. Obviously nonsense considering the excluded usages of EVs in the cabforum documents. EVs are only supposed to make a hard link between an offline and online legal entity, and even that failed with stripe.ian.sh (although that's not exactly the fault of EVs)
EVs now get so much higher implied security that the real vs implied security ratio is obviously very ugly while DVs becoming standard obviously have much more real security than implied (if people check the urlbar correctly)
That is a good point, I didn't know most of it and it shades a whole new light on the EV topic for me. Especially 3) is a bombshell to me, as I was under the impression that at - least theoretically - the users have control about who they trust.
Not just invisible but unlike "invisible recaptcha" which was kinda between v2 and v3 which does spawn a challenge on its own, but v3 is entirely non interactive and as you said the site/admin decides the punishment.
Couldn't one use u2f as a captcha alternative, obviously without information about the stick itself, only the batch attestation, and then throwing the registration in the bucket? After all it does need an interaction in the meatspace and sure a bot could be engineered to trigger it, but you can't just relay the challenge somewhere and have someone else clear it for you and even if you have a lego construction or whatever to clear your captcha, it's FAR slower than having many people on a solving service help you.
The post talks about recaptcha v3 but shouldn't it be v2? Because correct me if I'm wrong, but as far as i remember recaptcha v3 does NOTHING with the user as far as i remember and only tells the admin what it thinks about the user and then he can spawn a normal recaptcha v2 if needed.
