On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> A policy of switching from positive to negative indicators of security > differences is no justification to switch to NO indication. And it > certainly doesn't help user understanding of any indicator to > arbitrarily change it with 3 days of no meaningful discussion. > > The only thing that was insecure with Firefox EV has been that the > original EV indicator only displayed the O= and C= field without enough > context (ST, L). The change fixes nothing, but instead removes the direct > indication of > the validation strength (low-effort DV vs. EV) AND removes the one piece > of essential context that was previously there (country). > > If something should be done, it would be to merge the requirements for > EV and OV with an appropriate transition period to cause the distinction > to disappear (so at least 2 years from new issuance policy). UI > indication should continue to distinguish between properly validated OV > and the mere "enable encryption with no real checks" DV certificates. > I have to admit that I'm a little confused by this whole discussion. While I've been involved with PKI for a while, I've never been clear on the problem(s) that need to be solved that drove the browser UIs and creation of EV certificates. On thing I've found really useful in working on user experience is to discuss things using problem & solution statements that show the before and after. For example, "It used to take 10 minutes for the fire sprinklers to activate after sensing excessive heat in our building. With the new sprinkler heads we installed they will activate within 15 seconds of detecting heat above 200ÂșC, which will enable fire suppression long before it spreads." If we assume for a minute that Firefox had no certificate information anywhere in the UI (no subject info, no issuer info, no way to view chains, etc), what user experience problem would you be solving by adding information about certificates to the UI? Thanks, Peter (speaking only for myself, not my employer) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
