On 15/12/17 15:50, Tim Shirley wrote: > I don’t see how you can argue that the EV “seatbelt” breaks 100% of > the time. I know my bank uses an EV cert. Any time I come across a > site claiming to be my bank but lacking an EV cert, and my browser > shows me that distinction, is a time when the seatbelt saves me, > through that extra signal that alerts me that something isn’t right.
Unless you are using a browser (e.g. a mobile browser) which doesn't show EV indicators, for UX choice or even technical reasons. So you need to know which browsers show EV in the first place. And then, if you are using Chrome, AIUI an OCSP failure will lead to a downgrade to no-EV, so you have to eliminate the possibility as well. As things stand, for better or worse, there are multiple circumstances where the EV indicator might not show even though it's your real bank. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
