Ben Bucksch wrote: > We try to train users to check that the bar is green (on sites where it > was green before), and not use the site when it's merely blue. > Otherwise, EV is useless, as the scammer could get a, say, CertStar > cert, to fake an EV site, right? Only when people start getting > concerned and stop visiting the site when it's truning green->blue is EV > of any use. > > So, that means we have the same collateral damage as now.
Well... yes and no. If we remove a root, then the user gets scary error messages and can't easily access the site. If we remove EV status, the CA and their customers get upset because some customers are going to get spooked (they don't know how many - that's one of the good things). So removing EV is, in some senses, not as big a deal as yanking a root. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto