On Thu, Apr 12, 2018 at 11:40 AM, Eric Mill <e...@konklone.com> wrote:

> That's not accurate -- the EV information presented to users was not
> misleading. It correctly described Ian's registered company. The
> certificate was incorrectly revoked. We should probably be discussing
> whether punitive measures are appropriate for this revocation.
> -- Eric

That turns on your definition of "misleading", however.  It's entirely
possible to be 100% accurate with factual statements and yet present them
in a light that is absolutely "misleading".

Did the certificate present incorrect factual data?  No.

Does a user on the Internet who believes he is dealing with "Stripe" expect
that he's dealing with that particular Stripe which processes payments?
Yes, in general.

If you're an internet user and the name Stripe is presented one of two
reactions will arise:

1.  You're not aware of any Stripe at all.
- or -
2.  You've used Stripe on one of a great many website to pay.  If you
remember the name at all, you remember and expect Stripe to be that
particular stripe.

It's misleading to present the name "Stripe" to an Internet user if you
don't mean that particular Stripe.
dev-security-policy mailing list

Reply via email to