> However, I don't believe "technically correct, but intentionally misleading" information should be included in certificates. The question is how best to accomplish that.
How would you determine what's misleading, and what isn't? As mentioned, the Stripe, Inc of Kentucky could present an image of a legitimate company in a completely different field as the better known Stripe, Inc of Delaware (which, most people would associate with California based on where their offices are). There's no way to know what the intended future use of the company is, or just how legitimate the intentions of those behind it are. In a larger sense, and to the question that Ryan raises, what value has the EV UI treatment added? In the case of Safari, it's clear that it's actually quite harmful to a normal user. In the case of Firefox, it's likely that the UI treatment would add confusion as a result of the legitimately issued certificate to Stripe, Inc of Kentucky. Instead of adding value, adding some type of assurance, all that the UI treatment has done is make it more likely that the user will make an unfortunate mistake - a mistake they likely wouldn't have made if they were focused on the URL instead of the business name displayed. Adding the state would likely add no value, as most users would have no idea where a business is incorporated - and this is often different from where their offices are known to be, adding an additional level of confusion. There is also the unrelated DBA issue, where the certificate is issued to a company name that isn't familiar to the user, which is yet another way the UI treatment adds confusion. While EV validation rules could be changed to make the rules more strict, locking new businesses out, all it does is slow the process down - it doesn't actually prevent name collisions which could be harmful. I have long felt that the EV UI treatment is unwarranted, and I still do today. Removing the treatment from EV certificates, as it doesn't actually add enough value to be justified, still seems to be the correct decision to me. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
