On Mon, Dec 11, 2017 at 3:12 PM, Tim Hollebeek <tim.holleb...@digicert.com> wrote:
> > > On the contrary, everything needs to be improved with time. Just because > it could be made better doesn’t make it useless or bad. > > > > -Tim > I didn't say that its ability to be improved made it bad - merely, its present state is bad, particularly for users. Let's not focus on generalities when we have a very specific case in front of us. - We're in agreement that the certificates were legitimate. - We're (seemingly) in agreement that we cannot discern intent (whether they were used for good or bad), and certainly not on the browser side. - We're in agreement that, as a result of the certificates being legitimate, they are potentially confusing for users. I say potentially, because the fact that "Stripe, Inc" is a company in Kentucky versus Delaware may not be an issue - there are other companies with the name "Stripe" in their name that may or may not be confusing, depending on the user's context. [1] As such, it's a fair and legitimate question to ask whether EV certificates, as presently specified, deserve the UI treatment afforded to them. - If the fundamental certificate does not deserve it, then the UI should be removed. This is orthogonal to any proposals to introduce some new type of certificate that affords special UI. - Suggestions to "change the UI" are not equal or equivalent to "remove the UI" - adding user interface complexity is not equivalent to simplifying the user interface - If the fundamental certificate does deserve the UI treatment, then demonstrate why it does. You seem to be in agreement that the present form of legal identity is insufficient for the presumed use case, so I'm hoping you can close the gap in my understanding on why something is simultaneously insufficient yet suitable. [1] https://crt.sh/?O=Stripe%25 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
