Eddy Nigg (StartCom Ltd.) wrote: > But also back and again...EV is a business plan! It has nothing to do > with the supposed verification procedures, because the procedures > existed in similar forms already...any CA is free to pick these > procedures as their own and start issuing certificates accordingly > today!
Yes, they could but the presentation in the browser is exactly the same whether they do or don't. Why would they bother doing it the hard way? More and more CA's are apparently asking themselves that question. I don't really care about helping CA's sell more expensive certs, but I do want them to do more validation with an explicit standard we can hold them to. If we can offer a usable and effective UI differentiator for EV certs maybe we and the CA's can both get what we want (big if). Threatening to turn off "EV-ness" of a CA's root cert for non-compliance with the standard is a more credible threat than yanking the root from the browser and frustrating millions of users. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security