That is, indeed, a good question. I've also questioned simultaneously questioning users' reliance on the UI while suggesting that no user looks to the UI.
If the user does not see or make decisions on the basis of the UI, it seems leaving it present is no harder a conclusion to arrive at than removing it. On Mon, Dec 18, 2017 at 12:26 PM, Andrew via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote: > > It also perpetuates the myopic and flawed view as a phishing mitigation, > > whose reliance is upon users checking it (again, user hostile) > > Ryan, several times now you've characterized the expectation that users > check that the name listed on an EV certificate matches their expectations > as "user-hostile". Could you clarify why it is you believe this practice is > user-hostile while at the same time, expecting users to check the domain > name listed in the URL bar is not? (Or perhaps you believe that both > practices are user-hostile?) > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
