On Aug 13, 2012, at 2:31 PM, Hill, Brad wrote: > tl;dr version: > > EV is not a security boundary today in web user agents, it is a way to get a > user interface decoration. > > If we want to ask browser vendors to make it into a security boundary which > they will defend, we need to think about a fairly complex and broad threat > model. > > I'm not convinced that: > > a) it's worth doing LockEV unless it's going to be a real security barrier > b) the complexity introduced in making it a real security barrier is worth it > for such a rare attack
+1 to all that. --Paul Hoffman _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
