On Wed, Aug 14, 2019 at 1:16 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> EV was originally an initiative to make the CAs properly vet OV
> certificates, and to mark those CAs that had done a proper job.
> EV issuing CAs were permitted to still sell the sloppily validated
> OV certs to compete against the CAs that hadn't yet cleaned up their
> act.
> This was before the BRs took effect, meaning that the bar for issuing OV
> certs was very low.

> To heavihandidly pressure the bad CAs to get in line, Firefox
> simultaneously started to display exaggerated and untruthful warnings
> for OV certificates, essentially telling users they were merely DV
> certificates.
> So the intended long term benefit would be that less reliable CAs would
> exit the market, making the certificate information displayed more
> reliable for users.

This does not seem to be supported by the statements by Opera, Mozilla, the
KDE Foundation, and Microsoft at the time, so unfortunately, I must point
out that you are either mistaken or being dishonest, or both.


Perhaps you'd like to correct the misstatements, having been pointed to
contemporaneous statements from people actually there and involved in the
decisions, which I can hope you were simply unaware of?
dev-security-policy mailing list

Reply via email to