Dear Daniel! > Please tell me if I understand this correctly... > Is it that DV and EV certificates now both show the same lock symbol? > That would be a great harm in my opinion. And I do not understand why you > want this change. > > I think EV is very important and I explain why. > > Let's look at following hypothetical case: We have google.com, paypal.com as > well as goog1e.com and paypa1.com . Notice the two > number 1 (one) instead of a lower case L in the latter two domains. (lowecase > "L" and "one" look perfectly equal in Times New Roman. And > lowercase "L" looks perfectly equal to uppercase "i" in Arial.) > > In old Firefox, I get a green bar if I visit google.com and paypal.com, > telling me that this is a well-known company that got the EV certificate. > The other fake domains goog1e.com and paypa1.com only have DV certificates by > Let's Encrypt. > > In the newer Firefox, both domains, the real one and the fake one both get a > lock symbol. And I need to click the lock to see if it is DV or EV. > > Do I understand that correctly?
Any CA that strictly follow BRGs 4.2.1 should not issue a certificate for paypa1.com or goog1e.com. Until recently this was also done by Let's Encrypt, but they stopped doing so in January 2019 - https://community.letsencrypt.org/t/let-s-encrypt-no-longer-checking-google-safe-browsing/82168. Maybe someone from the Let's Encrypt team can explain, how they are now fulfilling this requirement. /Rufus _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy