On Thu, Apr 12, 2018 at 12:27 PM, Ryan Sleevi <r...@sleevi.com> wrote:

This is a patently distateful argument based on broad generalizations that
> do not hold any merit. I realize you've acknowledged your argument is
> fundamentally a popularity contest, but it seems to really base its core on
> "Whoever Matthew Hardeman doesn't think should have a certificate" -
> because there's zero data to support your claim that "will expect", or a
> definition of what constitutes a "common Internet user" (especially in a
> global context). I realize it sounds compelling, but you're making up
> strawmen to support that argument, and the core is an opposition to some
> people being able to get (EV) certificates as a result.

I understand and respect with your position here, without agreeing with
it.  You've clearly been a force for improving internet security for the
masses and each of us daily benefits from the work that you do.  Having
said that, I regard as "patently distasteful" your assertion that users are
so inept with evaluating an EV indicator that the indicator should not be
available as a differentiator for those who wish to go the extra distance
to expose their offline identities.  The  "common Internet user" probably
won't find my assumptions about them to be offensive.

> So the rules are made up and the certificates are meaningless, then, since
> it's all a popularity contest with shifting requirements based on made up
> ideas. It's certificate Calvinball, and it's a rather silly game to play
> because of it.

Just because a selection criteria is hard to codify does not mean that it's
not worth doing.  Will there always be a subjective aspect?  Probably.

As far as anyone has demonstrated, it remains the case that no one who has
relied upon EV indication as a signal of enhanced trustworthiness has
suffered consequence for that.  Certainly the same can not be said for the
little green lock alone.  In order for EV to maintain the clean "user who
relied upon this hasn't been phished", the CAs issuing EV certificates will
necessarily have to become more selective about issuance.

I understand the overarching goal is likely to eliminate all security
indicators in the long run.  Ultimately, in a 100% TLS world with at least
valid DV certificates, we can say that there's no need as everything is
encrypted and that the communication is authenticated as being exchanged
with a host at the target domain-label in the URL bar.  That allows the
browsers to wash their hands of advising the user of security data points.
It's also not how human nature works.  The universe abhors a vacuum and in
the absence of an indicator in browser UI, they will seek it in droves from
some ridiculous scheme sold by charlatans and implemented in the content
pane.  Those ridiculous security badges are still a thing for that reason.
People like having something to compare or test.
dev-security-policy mailing list

Reply via email to