On Tue, Oct 08, 2019 at 07:16:59PM -0700, Paul Walsh via dev-security-policy wrote: > Why isn’t anyone’s head blowing up over the Let’s Encrypt stats?
Because those stats don't show anything worth blowing up ones head over. I don't see anything in them that indicates that those 14,000 certificates -- or even one certificate, for that matter --was issued without validating control over the domain name(s) indicated in the certificates. EV and DV serve different purposes, and while DV is more-or-less solving the problem it sets out to solve, the credible evidence presented shows that EV does not solve any problem that browsers are interested in. > If people think “EV is broken” they must think DV is stuck in hell with > broken legs. Alternately, people realise that EV and DV serve different purposes through different methods, and thus cannot be compared in the trivial and flippant way you suggest. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy