If one compares the first EV specification with the current EV specification one will notice that the EV specification hasn't changed that much during its lifetime. The issues presented during the last years though research have been known about since the first adoption of the EV specification. If CAs really cared about EV they would have tried and improved it during the past 10+ years but nothing happened. If browsers decided to keep EV what would change? Nothing at all.
There is no one point in discussing the removal of EV any further because the EV specification had already died. On Fri, Aug 16, 2019 at 11:19 PM Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Honestly the issues, as I see them, are twofold: > > 1. When I visit a site for the first time, how do I know I should expect > an EV certificate? I am conscientious about subsequent visits, especially > financial industry sites. > > 2. The browsers seem to have a bias toward the average user, that user > literally being less ...smart/aware... than half of all of users. EV is a > feature that can only benefit people who are vigilant and know what to look > for. It seems dismissive of the more capable users, but I suppose that's > their call. > > On Fri, Aug 16, 2019 at 5:15 PM Daniel Marschall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > I have a few more comments/annotations: > > > > (1) Pro EV persons argue "Criminals have problems getting an EV > > certificate, so most of them are using only DV certificates". > > > > Anti EV persons argue "Criminals just don't use EV certificates, because > > they know that end users don't look at the EV indicator anyway". > > > > I assume, we do not know which of these two assumptions fits to the > > majority of criminals. So why should we make a decision (change of UI) > > based on such assumptions? > > > > (2) I am a pro EV person, and I do not have any financial benefit from EV > > certificates. I do not own EV certificates, instead my own websites use > > Let's Encrypt DV certificates. But when I visit important pages like > Google > > or PayPal, I do look at the EV indicator bar, because I know that these > > pages always have an EV certificate. If I would visit PayPal and only > see a > > normal pad lock (DV), then I would instantly leave the page because I > know > > that PayPal always has an EV certificate. So, at least for me, the UI > > change is very negative (except if you color the pad lock in a different > > color, that would be OK for me). We cannot say that all users don't care > > about the EV indicator. For some users like me, it is important. > > > > (3) Also, I wanted to ask, if you want to remove the UI indicator, > because > > you think that EV certificates give the feeling of false security, then > > please tell me: What is the alternative? Removing the UI bling without > > giving any alternative solution is just wrong in my opinion. Yes, there > > might be a tiny amount of phishing sites that use EV certificates, but > the > > EV indicator bar is still better than just nothing. AntiPhishing filters > > are not a good alternative because they only protect when the harm is > > already done to some users. > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
