On 17/08/2019 00:56, James Burton wrote:
If one compares the first EV specification with the current EV
specification one will notice that the EV specification hasn't changed that
much during its lifetime. The issues presented during the last years though
research have been known about since the first adoption of the EV
specification. If CAs really cared about EV they would have tried and
improved it during the past 10+ years but nothing happened. If browsers
decided to keep EV what would change? Nothing at all.
Latest change was May 21, 2019. This added a way to include additional
government identifiers and very strict validation if that was a banking
identity.
The EV standards development has always been an adversarial thing with
relying party representatives (only browsers allowed to participate,
unfortunately) requiring stronger checks and CAs trying to minimize the
requirements imposed on them.
The alleged "issues presented during the last years through research"
are mostly red herrings.
There is no one point in discussing the removal of EV any further because
the EV specification had already died.
This change doesn't just remove EV, it kills OV too. I have always
argued that the UI difference between EV and OV should be reduced or
removed, but removing the difference between EV and DV is so obviously
malicious it is indefensible.
On Fri, Aug 16, 2019 at 11:19 PM Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Honestly the issues, as I see them, are twofold:
1. When I visit a site for the first time, how do I know I should expect
an EV certificate? I am conscientious about subsequent visits, especially
financial industry sites.
2. The browsers seem to have a bias toward the average user, that user
literally being less ...smart/aware... than half of all of users. EV is a
feature that can only benefit people who are vigilant and know what to look
for. It seems dismissive of the more capable users, but I suppose that's
their call.
A stronger, less confusing UI indicator of EV vs. DV (the important
distinction) would greatly reduce that problem. Instead there has been
an agenda to gradually fade the indication into invisibility, and this
is apparently the final blow.
An obvious non-malicious way forward would be:
1. Reject and revert this malicious change from Mozilla based browsers
and market this difference as a major benefit of Firefox over the 3
platform browsers (IE/Edge, Safari and Chrome). Minor browsers are
thus shown that there still is a real choice to be better too.
2. Restore the clear rule that the entire address bar will be in the
color of the certificate validation strength, (initially green for
EV, white for DV/none, Red for clearly invalid). Not just a partial
coloration.
3. Fix the indicator weaknesses (spoofable color favicon in indicator
area, not switching to the color of a weaker page element cert,
showing identity fields that are not the same for all page elements).
4. Use different color for OV vs. no cert/DV to reflect the actual
difference.
5. Display the information from OV certs like the same information in
EV certs, even if it doesn't qualify for EV color. For example
company name and country in OV color where those values pass all
checks except being EV.
6. Continue to push for stronger (but not excessive) validation of
certificate elements other than the domain name. For example there
should be meaningful validation that the certificate requester
controls the claimed street address, but having to send an man to
physically visit every business address every few years would be too
much for regular EV certs, but still appropriate for "high value/risk
identities" (similar to "high value/risk domains", but different
fields).
On Fri, Aug 16, 2019 at 5:15 PM Daniel Marschall via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
I have a few more comments/annotations:
(1) Pro EV persons argue "Criminals have problems getting an EV
certificate, so most of them are using only DV certificates".
Anti EV persons argue "Criminals just don't use EV certificates, because
they know that end users don't look at the EV indicator anyway".
I assume, we do not know which of these two assumptions fits to the
majority of criminals. So why should we make a decision (change of UI)
based on such assumptions?
(2) I am a pro EV person, and I do not have any financial benefit from EV
certificates. I do not own EV certificates, instead my own websites use
Let's Encrypt DV certificates. But when I visit important pages like
Google
or PayPal, I do look at the EV indicator bar, because I know that these
pages always have an EV certificate. If I would visit PayPal and only
see a
normal pad lock (DV), then I would instantly leave the page because I
know
that PayPal always has an EV certificate. So, at least for me, the UI
change is very negative (except if