Thank you Ryan for raising this question, and to everyone who has been contributing in a constructive manner to the discussion. A number of excellent points have been raised on the effectiveness of EV in general and on the practicality of solving the problems that exist with EV.
While we have concerns about the value of EV as well as the potential for EV to actually harm users, Mozilla currently has no definite plans to remove the EV UI from Firefox. At the very least, we want to see Certificate Transparency required for all certificates before making any change that is likely to reduce the use of EV certificates. Is Google planning to remove the EV UI from desktop Chrome? If so, how does that relate to the plan to mark HTTP sites as ‘Not secure’ [1]? Does this imply the complete removal of HTTPS UI? While we agree that improvements to EV validation won’t remove many of the underlying issues that have been raised here, we hope that CAs will move quickly to make the EV Subject information displayed in the address bar more reliable and less confusing. - Wayne [1] https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
