On Monday, December 11, 2017 at 4:03:41 PM UTC-5, Matthew Hardeman wrote: > I think it will be a difficult sell to remove EV certificate UI handling, > as nothing is proposed to replace it.
I think this is flawed. If EV doesn't provide value, and adds confusion, it absolutely should go, and doesn't need something to replace it to be the correct and right choice. > It seems fairly simple to redefine the EV qualifications and validation > standards to achieve strong value, though admittedly it would do so at the > cost of some inclusiveness. It isn't. > That seems far more likely to achieve short term results than removing the > UI handling, having CAs lobby to re-add the UI for a whole new program, etc. Note: I don't think adding new UI should be the goal either. > An objective study of the advisability of the removal of EV handling would > incorporate an analysis of the risks EV -- as it sits today -- is > successfully mitigating as well as the risks it enhances or presents. I think that is both unrealistic and actively harmful. We know something is the cause of user confusion. We know something actively does not provide the value it achieves to. Yet we're insisting that the folks pointing out the harm and insufficiency must replace it? I hardly agree with that being in line with what's good for users. An objective study of EV handling would determine what, if any, value it provides. If it does not - and I think work like James' and Ian's rightfully demonstrates, along with the research in to user understanding of the UI surface - then it's absolutely ripe for removal. The proponents of maintaining the UI treatment bear the responsibility to demonstrate that UI treatment is meaningful and valuable, in the concrete case. If the question is just "power users" want it, then it can be moved to secondary UI surface, like it already is - the certificate viewer - or even removed entirely, since power users can access that information. > That Kentucky registration for Stripe, Inc. -- Is it completely fraudulent > as to registered agent, business address, etc? If it's not, then the > certificate and underlying entity serve as an archived investigative entry > point for law enforcement or potential civil action. Fundamentally, I think this is misleading. It presumes that, upon something bad happening, someone can link it back to that certificate to link it back to that identity. If I was phished, and entered my credentials, there's no reason to believe I've maintained the record details including the phishing link to know I was phished. Are users supposed to spleunk their HTTP cache or maintain complete archives of every link they visited, such that they can get the cert back from it to aid an investigation? The problem with this comparison (and indeed, CAs' like to bring it up), is there's no model of how it gets to the civil action or criminal investigation to begin with, in a way that is equivalent with the supposed risks it prevents. > Even if it is, someone filed the paperwork. Court houses have clerks, > guards, video cameras, etc... It still may present a real physical point > from which to bootstrap an investigation. Court houses also have online systems. I think if you read both Ian and James' work, you'll see the issues they're raising address this hypothetical. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
