On Monday, December 11, 2017 at 4:01:21 PM UTC-5, Paul Wouters wrote: > On Mon, 11 Dec 2017, Ryan Hurst via dev-security-policy wrote: > > > The issues with EV are much larger than UI. It needs to be revisited and a > > honest and achievable set of goals need to be established and the processes > > and procedures used pre-issuance and post-issuance need to be defined in > > support those goals. Until thats been done I can not imagine any browser > > would invest in new UI and education of users for this capability. > > While I agree that EV does not solve world peace, can you tell me what > is wrong with the firefox approach of showing EV? That is, browsers > hiding the real hostname with EV seems to behave wrong, and should be > fixed. This seems unrelated to other noble goals of giving users improved > security. It seems you are conflating many things, then say it is too > much work and lets just scrap it. > > Thus, so far I see reason for some browsers to fix their UI. I can see > reasons for EV to improve. I see no reason to further confuse users > by removing EV without a successor.
EV adds unnecessary information to the UI that can easily mislead users into believing a site is not as it stands, and condition users away from the only meaningful mitigation - checking the URL (and that itself is not perfect, but it's not helped by EV either) That is, showing EV is wrong. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
