On Thursday, August 15, 2019 at 7:30:46 AM UTC-4, Kurt Roeckx wrote:
> On Wed, Aug 14, 2019 at 11:52:46PM -0700, Daniel Marschall via 
> dev-security-policy wrote:
> > In old Firefox, I get a green bar if I visit google.com and paypal.com, 
> > telling me that this is a well-known company that got the EV certificate.
> > The other fake domains goog1e.com and paypa1.com only have DV certificates 
> > by Let's Encrypt.
> 
> The green bar does not indicate that it's a well-known company. It
> means someone payed for an EV certificate. The green bar does not
> in any way say it's more secure or indicate that you're talking to
> some trustworthy company. It only gives you a false sense of
> security.
> 
> 
> Kurt

That's a pretty disingenuous description of EV certificates. Whether they paid 
for it or not isn't the issue. It means that some entity applied for an EV 
certificate, the CA used the vetting methods described in the CA/B Forum EV 
guidelines (which were agreed to by CAs and browsers) to verify the domain, the 
company, the address, location, etc. Only after that is complete is an EV 
certificate issued.  The CA was then audited against the work they did (in 
addition to assuring they meet physical, network and other audit requirements), 
annually. 
I have to agree with Jakob, it's remarkable that Mozilla would make such a 
drastic change with only a 2 day announcement and no discussion.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to