On 11/7/06, Eddy Nigg (StartCom Ltd.) <[EMAIL PROTECTED]> wrote:
Duane wrote: > Since phishing exists happily with no SSL, why would they start using > SSL all of a sudden now that EV's are being discussed? > Somehow I have to agree with this statement. EV certificates solve perhaps partially a certification problem, not necessarily the pishing problem.
Section B.2.(b) of the Draft EV Guidelines also states that the EV proposal only secondarily addresses phishing. It seems EV is neither proposed to have, nor believed to have, a major impact on the phishing problem as it exists today. Change to a primary user interface widget in the browser, such as the Address bar, is a major change. Unless the proposed change promises immediate and dramatic improvement, I don't see why there should be any rush to adoption. Surely we have time for user studies and other debate over the impact of the change. This particular bucket of water is not aimed at the fires that concern us most. Given the serious problems with browser security, such as phishing and XSS, I don't understand why the EV proposal is consuming any of Mozilla's precious development resources or affecting any release plans. Shouldn't the EV proposal be developing as just another addon, like any other low-to-mid priority change? Why is it jumping straight to consideration by Mozilla for inclusion in the mainline code? Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ Name your trusted sites to distinguish them from phishing sites. https://addons.mozilla.org/firefox/957/ _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
