> On Oct 14, 2019, at 12:07 PM, Ronald Crane via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > The finding is from public information that is relevant to the current value > of EV certificates, which is a central part of this discussion.
[PW] I’m still confused Ronald. And, sorry for taking so long to respond. I moved to Vancouver recently and it was Thanksgiving / long weekend. I’m not sure I understand why you're pointing out that MetaCert uses a Let’s Encrypt DV cert. Our use of Let’s Encrypt and/or a DV certificate doesn't prove or disprove anything that I have said about the need for new browser UI for website identity to help make the web safer. If anything, it should help to demonstrate that I’m impartial to the CA/Browser battles as an unbiased commentator - I literally didn’t want to chose a CA because I knew people would look to see who we used. Please try to see the good in what I say and do - I have no ulterior motives or hidden agendas. If you disagree with something I do or say please say so, and let’s debate that. And while I have your attention, I would like to point out that I believe encryption is vital. HTTPS is vital. SSL certs are vital. I love that DV certs can be free. None of these opinions mean that the problems I talk about in my thesis aren’t real. It’s ok to like a thing, while trying discussing the problems that are introduced by that thing. Lifting out a single point I make, can take what I mean out of context - just like removing a single word or adding an Oxford comma can change the meaning of a sentence. It would be strange for me not to support encryption or DV certs. DV and EV use the same technology. EV just happens to have ownership identity info for browsers to display to end-users. I rarely use the term “EV" because I believe website identity is bigger and wider. And who’s to the say tech and/or methodology behind the tech doesn’t change. The term “EV” seems to upset so many people because they can’t see beyond their hate for CAs. This is immature. This discussion shouldn’t be EV vs DV. I’m motivated by the longterm possibilities of decentralizing the decision making process for URL classification. Back to my thesis about the need for new and better browser UI for website identity to help make the web safer, was there something that you disagreed with Ronald? https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/ <https://casecurity.org/2019/10/10/the-insecure-elephant-in-the-room/> Thanks, - Paul > > -R > > On 10/14/2019 11:10 AM, Paul Walsh via dev-security-policy wrote: >> I have two questions Ronald: >> >> 1. What should I look for? I just see a DV cert from Let’s Encrypt. >> >> 2. Why did you message the entire community about whatever it is you’ve >> found? >> >> Thanks, >> Paul >> >> Sent from my iPhone >> >>> On Oct 12, 2019, at 11:04 AM, Ronald Crane via dev-security-policy >>> <dev-security-policy@lists.mozilla.org> wrote: >>> >>> Just FYI, metacert.com served up this cert recently: >>> https://crt.sh/?id=1884181370 . >>> >>> -R >>> >>> _______________________________________________ >>> dev-security-policy mailing list >>> dev-security-policy@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-security-policy >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
