On Friday, September 6, 2019 at 11:44:30 AM UTC-7, browser...@gmail.com wrote:
> Thanks for the update Jonathan, the article I read didn't mention the funding > source, but the article wasn't the point of my post. > > Bottom line, why strip out of view the only browser mechanism that identifies > the owner of a website? Why not force the CA's to improve the EV validation > process and create a ubiquitous user experiences around EV across ALL > browsers so that visitors can begin to see the commonality of EV's purpose? > > For the betterment of a safer and more trustworthy Internet, why digress from > the concept of web identity verification instead of trying to make it better? The problem is that EV does not provide a owner identity that is actually useful to end users: * the public name of many companies is not their incorporated name (e.g. https://www.thesslstore.com) * Unlike hostnames, company names are not globally (as we've seen repeatedly, mentioned earlier was Stripe, Inc). By design this is not a fixable problem - unlike a hostname you cannot say a CA isn't allowed to issue certs to "special" or "high profile" company names. Let's take nissan.com, giving it an EV cert would not help a user distinguish it from Nissan Motors because the EV cert will just say Nissan, Inc or whatever. These problems are both uncorrectable, by design. There is no amount of "extra" validation a CA can do that fixes them. If a company is incorporated with a given name a CA cannot refuse to issue an EV cert with that name. The only true identity for a given webpage is the URL, and many years of effort have gone into getting users to look at the address bar to verify they are where they think they are. Modern browsers highlight the one part that matters (the hostname) to further help users verify this. EV certs only serve to confuse this by inserting an additional string the the url bar, or by randomly (from the PoV of the user) overloading the padlock with different colors. Again, the burden is on CAs to demonstrate that EV cert UI provides a security benefit the outweighs their very real security harm: mismatched names, multiple strings in the location bar, and overloading the padlock all add mental overhead and confusion. These harms aren't hypothetical, other people in this thread have linked to studies showing these are real problems. --Oliver _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
