On Sun, Aug 18, 2019 at 01:35:55PM -0700, Daniel Marschall via 
dev-security-policy wrote:
> Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer:
> > [...] From what I can see so far,
> > browser vendors aren't "ending" EV certificates, a couple of them are merely
> > modifying their UIs guided by relevant research into the efficacy (or lack
> > thereof) of the current UI.
> 
> Matt, I don't understand this.  Isn't removing the UI bling the same as
> "removing" EV from the browser?

Yes, but removing EV from the browser isn't the same as ending EV
certificates, which is what was claimed in the message I responded to.

> I guess that EV will eventually ended by the Customers/CAs.

We'll have to leave it to the invisible hand of the market to sort that out. 
If CAs cease issuing EV TLS/SSL certificates, it will presumably be because
customers are no longer buying them, and customers will cease buying them if
there is no perceived value in them, which is what CAs have repeatedly said
isn't the case.  So CAs ceasing to issue EV TLS/SSL certificates will be a
confirmation that, in fact, EV TLS/SSL certificates had no value beyond the
UI "bling", as you call it, which the research overwhelmingly indicates is
of trivial value.

> I just looked at Opera and noticed that they don't have any UI difference
> at all, which means I have to open the X.509 certificate to see if it is
> EV or not.

So that's one more browser vendor that sees no value in "UI bling" for EV
certificates.  It almost makes Firefox and Chrome look like the laggards in
this decision, rather than the harbingers of a new era.

- Matt

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to