On 12/12/2017 12:21 AM, Hanno Böck via dev-security-policy wrote: > Hi, > > On Mon, 11 Dec 2017 11:01:10 -0800 (PST) > Ryan Sleevi via dev-security-policy > <[email protected]> wrote: > >> I suppose this is both a question for policy and for Mozilla - given >> the ability to provide accurate-but-misleading information in EV >> certificates, and the effect it has on the URL bar (the lone trusted >> space for security information), has any consideration been given to >> removing or deprecating EV certificates? > I support the removal of special treatments and UI for EV > certificates. > > Rationale: I believe plenty of security research shows that it is > incredibly hard to communicate security indicators to users. If you ask > average users about the meaning of green locks, green URL bars or > anything else they will usually not know what it means. > > This lets only one sensible conclusion: Security indicators should be > removed. The goal should be to have one security level that is the > default (HTTPS+DV) and make that as secure as possible. The community > should therefore try to strengthen the CA ecosystem as a whole and not > try to make any "special" certificates.
For what it is worth, I'm also supporting removal of special UI elements for EV certificates. Users tends to be easily swayed one way or the other, and if it is to have any value the checks necessary exceeds what is natural for a CA in the ecosystem. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
