Because normal users don't understand that there can be more than one
Stripe, Inc and why there can be.

Many normal users know there's this thing called Stripe that a lot of
websites use for payment and that it's legit.

I'm good with EV becoming a popularity contest.  I'd be good with
publish-for-opposition.  Much could be enhanced here.

Third party legitimacy signals are something many end users want.

I'm well aware that gets into the subjective.

Having said that, if a vacuum is created in that space, the various CAs and
some far less scrupulous "security" companies will come up with an
endorsement badge concept for active vulnerability scanning, etc.

The tradeoff for having EV in the browser UI is that at least some of the
strong minds in the community get to shape that program and requirements.

You could drop it from the browser UIs.  They'll just move it to the
content pane.

But no matter how hard you try, you'll not break the end-user from looking
for what they perceive as a third-party legitimacy endorsement.

I'd very much like to see EV transformed to require individual validation
with name and contact point in the certificate.  I understand that has
significant privacy implications, but EV is optional anyway.

Today, EV is supposed to provide strong real-world identity.  I think it
should be extended to speak to signaled commitment of legitimate intent.
Which means policing EV certificate holders, revoking for other than
endorsed use cases.

On Thu, Apr 12, 2018 at 9:20 AM, Eric Mill <> wrote:

> I'll go further, and protest why the EV cert was revoked. Why can't Ian
> have a "Stripe, Inc." EV certificate for his business if he wants to? What
> makes the payment processing company somehow more deserving of one than
> Ian's company? Why was GoDaddy allowed to effectively take Ian's site down
> without his consent?
> If this is how EV is going to be handled, I think it's time to seriously
> discuss removing the display of EV information from Mozilla products.
> -- Eric
> On Wed, Apr 11, 2018 at 3:31 PM, Jonathan Rudenberg via
> dev-security-policy <> wrote:
>> On Wed, Apr 11, 2018, at 15:27, Matthew Hardeman via dev-security-policy
>> wrote:
>> > It was injudicious of a CA to issue another certificate in this name for
>> > this entity after the already well documented controversy.  Did they
>> just
>> > not care that it would invite trouble or did they not know that it would
>> > invite controversy and trouble because they didn't track it the first
>> time
>> > around?
>> What "trouble" is being invited? I don't see a problem. Everything is
>> operating exactly as expected. GoDaddy did nothing wrong.
>> _______________________________________________
>> dev-security-policy mailing list
> --
> | @konklone <>
dev-security-policy mailing list

Reply via email to