On Mon, Dec 11, 2017 at 2:23 PM, Paul Wouters via dev-security-policy < [email protected]> wrote:
> On Mon, 11 Dec 2017, Ryan Sleevi via dev-security-policy wrote: > > I suppose this is both a question for policy and for Mozilla - given the >> ability to provide accurate-but-misleading information in EV certificates, >> and the effect it has on the URL bar (the lone trusted space for security >> information), has any consideration been given to removing or deprecating >> EV certificates? >> > > Fix the EV GUI not to hide the hostname part of the URL, and retain the > display of the company name. > This is already the behaviour of Firefox. Perhaps you were thinking of Safari? > Unless you are going to invent a new namespace, there isn't anything to > gain by removing EV. It's still better than not having EV, even if it > is a second race to the bottom after the DV race. > I'm not sure I understand this remark. EV is an attempt to invent a new namespace (through corporate jurisdiction of incorporation). As presently implemented in Firefox (and other browsers), this namespace granularity is limited to the country, although the example from Ian highlights the long-known issue that the namespace for corporate jurisdiction can be much finer grained - down to city/municipality, in some cases. Unless all of that information is presented to the user at the same precedence of the URL bar, and with the same understanding about what the 'expected' values should be, then there is no additional value derived from that presentation at all. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
