On Thu, Apr 12, 2018 at 02:15:02PM -0500, Matthew Hardeman via dev-security-policy wrote: > On Thu, Apr 12, 2018 at 1:57 PM, Eric Mill <e...@konklone.com> wrote: > > But he did not deceive users. Demonstrating that this is possible is not > > itself an act of deception. > > Except that if he can't maintain a working EV certificate in a name that > may deceive users, then that would make the text misleading/deceiving. In > a lovely chicken/egg debate fashion, the CA managed to make his website > deceptive.
On a practical level, though, is there any reason to believe that the certificate was revoked for any reason *other* than because the existence of the certificate was widely publicised, beyond the publicity that any other EV cert would get (I'm thinking about CT, mostly)? If the only reason the cert got pulled is because Ian acted in a manner different to that of a scammer (I doubt J. Random Miscreant is going to be blogging about their ability to get an embarrassing-looking EV cert), then you're not really making a positive point about the value of EV. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy