On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote: > Thank you Ryan for raising this question, and to everyone who has been > contributing in a constructive manner to the discussion. A number of > excellent points have been raised on the effectiveness of EV in general and > on the practicality of solving the problems that exist with EV. > > While we have concerns about the value of EV as well as the potential for > EV to actually harm users, Mozilla currently has no definite plans to > remove the EV UI from Firefox. At the very least, we want to see > Certificate Transparency required for all certificates before making any > change that is likely to reduce the use of EV certificates. > > Is Google planning to remove the EV UI from desktop Chrome? If so, how does > that relate to the plan to mark HTTP sites as ‘Not secure’ [1]? Does this > imply the complete removal of HTTPS UI? > > While we agree that improvements to EV validation won’t remove many of the > underlying issues that have been raised here, we hope that CAs will move > quickly to make the EV Subject information displayed in the address bar > more reliable and less confusing. > > - Wayne > > [1] > https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
So, given that Mozilla has no immediate plans to remove the EV UI from Firefox, perhaps the UI should be adjusted to include the state the Subject is registered in on the EV badge. No reason for that text to be any more misleading than necessary. (I assume this is something we can pretty much all agree on, yes?) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
