That's not clear at all. Someone other than the famous Stripe, Inc. has -- without violating BR rules or requirements -- a proper EV certificate showing (correctly) entity name Stripe, Inc.
That this exists suggests that EV is harmful if the target is normal everyday people. Making the abstract normal person more confident that the website behind that entity name is that other particular famous Stripe is harmful. Just my thoughts... Matt Hardeman On Mon, Dec 11, 2017 at 1:23 PM, Paul Wouters via dev-security-policy < [email protected]> wrote: > On Mon, 11 Dec 2017, Ryan Sleevi via dev-security-policy wrote: > > I suppose this is both a question for policy and for Mozilla - given the >> ability to provide accurate-but-misleading information in EV certificates, >> and the effect it has on the URL bar (the lone trusted space for security >> information), has any consideration been given to removing or deprecating >> EV certificates? >> > > Fix the EV GUI not to hide the hostname part of the URL, and retain the > display of the company name. > > Unless you are going to invent a new namespace, there isn't anything to > gain by removing EV. It's still better than not having EV, even if it > is a second race to the bottom after the DV race. > > Paul > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
