On Wed, Dec 13, 2017 at 05:58:38PM +0000, Tim Shirley via dev-security-policy wrote: > So many of the arguments made here, such as this one, as well as the > recent demonstrations that helped start this thread, focus on edge cases. > And while those are certainly valuable to consider, they obscure the fact > that “Green Bar” adds value in the mainstream use cases. If we were > talking about how to improve EV, then by all means focus on the edge > cases. The thing I don’t see in all this is a compelling argument to take > away something that’s useful most of the time.
That assumes it's useful most of the time. I don't believe there's evidence that the EV UI is -- all the rigorous research I'm aware of shows that the EV UI is rarely "useful" to users. Even in the rare case of a user that knows to look for the EV indication, the information that the EV UI presents is demonstrably insufficient for the purposes you wish to use it for. Anyone who wants to use the information present in an EV certificate to make trust decisions needs to dig into the cert info screen to determine *which* "FooBar Holdings Inc." they're talking to when they visit https://example.com. So, the current situation is that the EV UI is useless for *everyone*. There's two options to "fix" it: * Insert even more information into the EV "green bar", for the benefit of the tiny fraction of users who know and care what that information actually is; or * Remove it as being insufficiently valuable to users-in-aggregate. I have my doubts that there has ever been a situation in which adding more information to a UI element that users already ignore and don't understand has improved user experience, so I'm not expecting stuffing jurisdictionOfIncorporation, registration numbers, and all manner of other stuff into the green bar is going to improve matters. So I'm in favour of removing the UI element entirely. As others have mentioned, there's no reason why, if browsers were to remove the "green bar", EV certificates need to necessarily go away[1]. The tiny subset of users who wish to examine the identity of the organisation behind the site that sent them a form (not necessarily the same organisation as the one they'll be sending the form data to, as Nick Lamb has explained), they can open the cert viewer and dig in. It's simply that there's no compelling evidence that putting an organisation name and country in a green bar is sufficiently valuable for users-in-aggregate to be worth keeping it. - Matt [1] CAs are fine to keep selling EV certificates, and marketing them in whatever way they see fit, if they like. OV certs are still a thing despite conveying no UI advantage, so there's no more reason to believe EV will cease to be a thing just because browsers remove the green bar, than there is evidence that the EV UI is useful. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
