On Mon, Dec 11, 2017 at 2:14 PM, Tim Hollebeek <[email protected]> wrote:
> > It turns out that the CA/Browser Validation working group is currently > looking into how to address these issues, in order to tighten up validation > in these cases. We discussed it a bit last Thursday, and will be > continuing > the discussion on the 21st. > > If anyone has any good ideas, we'd be more than happy to hear them. > > -Tim > Hi Tim, The proposal to 'tighten up validation' seems to presume that those certificates should not have been issued in the first place, and/or rules should exist to prohibit such issuance. I'm not sure that would appropriately reflect the "Intent" of EV (to provide legally identifying information about the certificate holder). Further, I think the questions Ian raised in his post are rather fundamental to the value proposition of granting EV any particular UI, and so I'm curious to hear from Mozilla whether they are comfortable granting external control over their critical security surface (the URL bar) As you know, Chrome is still evaluating the value of EV having special UI, as discussed in past CA/Browser Forum meetings [1][2]. This doesn't opine on the value of EV to the ecosystem overall, but rather, the value in browsers distinguishing such certificates or affording specialized UI. [1] https://cabforum.org/2016/02/17/2016-02-17-minutes-of-f2f-meeting-37/#Google [2] https://cabforum.org/2016/10/19/2016-10-19-20-f2f-meeting-39-minutes/#Google _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
