On 18/12/2017 21:54, Andrew wrote:
On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote:
Thank you Ryan for raising this question, and to everyone who has been
contributing in a constructive manner to the discussion. A number of
excellent points have been raised on the effectiveness of EV in general and
on the practicality of solving the problems that exist with EV.
While we have concerns about the value of EV as well as the potential for
EV to actually harm users, Mozilla currently has no definite plans to
remove the EV UI from Firefox. At the very least, we want to see
Certificate Transparency required for all certificates before making any
change that is likely to reduce the use of EV certificates.
Is Google planning to remove the EV UI from desktop Chrome? If so, how does
that relate to the plan to mark HTTP sites as ‘Not secure’ [1]? Does this
imply the complete removal of HTTPS UI?
While we agree that improvements to EV validation won’t remove many of the
underlying issues that have been raised here, we hope that CAs will move
quickly to make the EV Subject information displayed in the address bar
more reliable and less confusing.
- Wayne
[1]
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
So, given that Mozilla has no immediate plans to remove the EV UI from Firefox,
perhaps the UI should be adjusted to include the state the Subject is
registered in on the EV badge. No reason for that text to be any more
misleading than necessary. (I assume this is something we can pretty much all
agree on, yes?)
As people have already mentioned, states aren't necessarily that
informative even within the US. Plus it opens up other phishing-y
avenues, like registering a California company that matches some
Canadian company's name. So it's not clear that would be an improvement,
and certainly not a *strict* improvement -- even before factoring in
screen real estate, development and testing effort required, etc.
~ Gijs
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
