Doug Beattie <doug.beat...@globalsign.com> writes:

>So far I see is a number of contrived test cases picking apart small
>components of EV, and no real data to back it up.

See the phishing stats from any source you care to use.  I've already
mentioned the APWG which I consider the premier source, and also linked to the
SSL Store blog which happened to be the first Google hit, but feel free to
take any source of stats you trust, and see if you can find any that show that
phishing decreased and/or security increased due to EV certs.

I could also reverse this and say: You claim that EV certs are useful. Produce
some stats showing this.  We could agree on using the APWG as our source,
since they're a pretty authoritative.

In either case, we've got a good, decade-long, reliable, heavily-analysed data
source, it's up to the two sides to use it to support their case.  I've
already made mine.

>Yes, I work for a CA that issues EV certificates, but if there was no value
>in them, then our customers would certainly not be paying extra for them.

Must remember that one for the quotes file :-).

In case you're wondering why I find it amusing, consider this variant:

  Yes, I work for Monster Cable, but if there was no value in our cables then
  our customers would certainly not be paying extra for them.

Peter.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to