Nobody is disputing the fact that these certificates were legitimate given the rules that exist today.
However, I don't believe "technically correct, but intentionally misleading" information should be included in certificates. The question is how best to accomplish that. -Tim -----Original Message----- From: Jonathan Rudenberg [mailto:jonat...@titanous.com] Sent: Monday, December 11, 2017 12:34 PM To: Tim Hollebeek <tim.holleb...@digicert.com> Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: On the value of EV > On Dec 11, 2017, at 14:14, Tim Hollebeek via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > It turns out that the CA/Browser Validation working group is currently > looking into how to address these issues, in order to tighten up > validation in these cases. This isn’t a validation issue. Both certificates were properly validated and have correct (but very misleading information) in them. Business entity names are not unique, so it’s not clear how validation changes could address this. I think it makes a lot of sense to get rid of the EV UI, as it can be trivially used to present misleading information to users in the most security-critical browser UI area. My understanding is that the research done to date shows that EV does not help users defend against phishing attacks, it does not influence decision making, and users don’t understand or are confused by EV. Jonathan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy