On Thu, Apr 12, 2018 at 12:27 PM, Ryan Sleevi <r...@sleevi.com> wrote:
This is a patently distateful argument based on broad generalizations that > do not hold any merit. I realize you've acknowledged your argument is > fundamentally a popularity contest, but it seems to really base its core on > "Whoever Matthew Hardeman doesn't think should have a certificate" - > because there's zero data to support your claim that "will expect", or a > definition of what constitutes a "common Internet user" (especially in a > global context). I realize it sounds compelling, but you're making up > strawmen to support that argument, and the core is an opposition to some > people being able to get (EV) certificates as a result. > I understand and respect with your position here, without agreeing with it. You've clearly been a force for improving internet security for the masses and each of us daily benefits from the work that you do. Having said that, I regard as "patently distasteful" your assertion that users are so inept with evaluating an EV indicator that the indicator should not be available as a differentiator for those who wish to go the extra distance to expose their offline identities. The "common Internet user" probably won't find my assumptions about them to be offensive. > > > So the rules are made up and the certificates are meaningless, then, since > it's all a popularity contest with shifting requirements based on made up > ideas. It's certificate Calvinball, and it's a rather silly game to play > because of it. > Just because a selection criteria is hard to codify does not mean that it's not worth doing. Will there always be a subjective aspect? Probably. As far as anyone has demonstrated, it remains the case that no one who has relied upon EV indication as a signal of enhanced trustworthiness has suffered consequence for that. Certainly the same can not be said for the little green lock alone. In order for EV to maintain the clean "user who relied upon this hasn't been phished", the CAs issuing EV certificates will necessarily have to become more selective about issuance. I understand the overarching goal is likely to eliminate all security indicators in the long run. Ultimately, in a 100% TLS world with at least valid DV certificates, we can say that there's no need as everything is encrypted and that the communication is authenticated as being exchanged with a host at the target domain-label in the URL bar. That allows the browsers to wash their hands of advising the user of security data points. It's also not how human nature works. The universe abhors a vacuum and in the absence of an indicator in browser UI, they will seek it in droves from some ridiculous scheme sold by charlatans and implemented in the content pane. Those ridiculous security badges are still a thing for that reason. People like having something to compare or test. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy