On Wed, Aug 14, 2019 at 1:16 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> EV was originally an initiative to make the CAs properly vet OV > certificates, and to mark those CAs that had done a proper job. > EV issuing CAs were permitted to still sell the sloppily validated > OV certs to compete against the CAs that hadn't yet cleaned up their > act. > > This was before the BRs took effect, meaning that the bar for issuing OV > certs was very low. > To heavihandidly pressure the bad CAs to get in line, Firefox > simultaneously started to display exaggerated and untruthful warnings > for OV certificates, essentially telling users they were merely DV > certificates. > > So the intended long term benefit would be that less reliable CAs would > exit the market, making the certificate information displayed more > reliable for users. > This does not seem to be supported by the statements by Opera, Mozilla, the KDE Foundation, and Microsoft at the time, so unfortunately, I must point out that you are either mistaken or being dishonest, or both. https://web.archive.org/web/20060316082248/http://www.opera.com/security/toronto/ https://dot.kde.org/2005/11/22/web-browser-developers-work-together-security http://hecker.org/mozilla/ssl-ui https://blogs.msdn.microsoft.com/ie/2005/11/21/better-website-identification-and-extended-validation-certificates-in-ie7-and-other-browsers/ Perhaps you'd like to correct the misstatements, having been pointed to contemporaneous statements from people actually there and involved in the decisions, which I can hope you were simply unaware of? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
