On Monday, December 18, 2017 at 3:54:24 PM UTC-6, Andrew wrote: > On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote: > > Thank you Ryan for raising this question, and to everyone who has been > > contributing in a constructive manner to the discussion. A number of > > excellent points have been raised on the effectiveness of EV in general and > > on the practicality of solving the problems that exist with EV. > > > > While we have concerns about the value of EV as well as the potential for > > EV to actually harm users, Mozilla currently has no definite plans to > > remove the EV UI from Firefox. At the very least, we want to see > > Certificate Transparency required for all certificates before making any > > change that is likely to reduce the use of EV certificates. > > > > Is Google planning to remove the EV UI from desktop Chrome? If so, how does > > that relate to the plan to mark HTTP sites as ‘Not secure’ [1]? Does this > > imply the complete removal of HTTPS UI? > > > > While we agree that improvements to EV validation won’t remove many of the > > underlying issues that have been raised here, we hope that CAs will move > > quickly to make the EV Subject information displayed in the address bar > > more reliable and less confusing. > > > > - Wayne > > > > [1] > > https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html > > So, given that Mozilla has no immediate plans to remove the EV UI from > Firefox, perhaps the UI should be adjusted to include the state the Subject > is registered in on the EV badge. No reason for that text to be any more > misleading than necessary. (I assume this is something we can pretty much all > agree on, yes?)
I agree that might be good, but especially on mobile devices screen real-estate is limited. Perhaps the cab forum should with all due haste propose a full slate of improvements to the EV program, while there's still time to make their case. I think Mr. Thayer's statement of Mozilla position at this point is an opportunity as well as an implied earliest time frame for deprecation. If I were a CA [I'm not], I'd expend great effort to create measurable improvements to the EV program prior to then. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy