Hi, On Mon, 11 Dec 2017 11:01:10 -0800 (PST) Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> I suppose this is both a question for policy and for Mozilla - given > the ability to provide accurate-but-misleading information in EV > certificates, and the effect it has on the URL bar (the lone trusted > space for security information), has any consideration been given to > removing or deprecating EV certificates? I support the removal of special treatments and UI for EV certificates. Rationale: I believe plenty of security research shows that it is incredibly hard to communicate security indicators to users. If you ask average users about the meaning of green locks, green URL bars or anything else they will usually not know what it means. This lets only one sensible conclusion: Security indicators should be removed. The goal should be to have one security level that is the default (HTTPS+DV) and make that as secure as possible. The community should therefore try to strengthen the CA ecosystem as a whole and not try to make any "special" certificates. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy