All, Recent events and a body of historical research have of late been causing questions among a great many respected security researchers and browser UI guys about the benefits of browser UI signal for EV certificates.
I'd like to start a discussion tangent to that ongoing dialogue. Regardless of any changes in EV certificate handling -- or any lack of changes, I think it may be worthwhile to have a discussion about the appropriateness of trust indicators in browser UI and the things that might support an indication of a trust indicator. Today, browsers grant an enhanced display to EV certificates because EV certificates identify the existence of an entity, the authorization of a certificate requestor to request a certificate on behalf of the entity, and link the certificate between the domain(s) of the entity and the entity itself. In general, it is presumed that this increases the notion that the website presenting this certificate is trustworthy -- most especially, the marketing of the EV "brand" suggests to us that these websites are more trustworthy in terms that we can be confident in engaging in commerce with these websites. Recent work by security researches such as Ian Caroll have shown that trust is likely a bit more complicated. We can't trust, in the general case, that "Stripe, Inc." means the Stripe of stripe.com -- the payment processor. In fact, Ian's work involved the creation of a separate "Stripe, Inc." in Kentucky. I have several questions for the community to ponder: 1. If a technologically detectable and authenticatable indicator that a site was "measurably more trustworthy than the general case for the purpose of engagement in commerce", would that merit a browser UI indicator of some form? Specifically a browser initiated UI element, such that the target website itself could not simulate or emulate the indicator in a compelling way. 2. What data or documentation, fully validated, might possibly rise to the above bar regarding the real world identification and legitimacy of the operator of the target website? Certainly, I have my own thoughts and opinions on this topic. And if there's interest and traction on those questions by other community matters, I hope to expound on those in the course of that conversation. Thanks, Matt Hardeman _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy