[Servercert-wg] [EXTERNAL]Re: Clarification about EVG 9.2.4

Ryan Sleevi sleevi at google.com
Thu Dec 5 12:11:39 MST 2019


On Thu, Dec 5, 2019 at 1:57 PM Kirk Hall <Kirk.Hall at entrustdatacard.com>
wrote:

> So… Google eliminated the EV UI in Chrome in September, and you have
> stated for years that EV identity information is of no value in user
> security.  So why are you trying to tell CAs what EV corporate registry
> data sources they should use when issuing EV certificates?  What’s your
> interest?
>

Kirk,

I'm afraid you're confused again, and may be unintentionally grossly
misrepresenting things.

Chrome has not eliminated the EV UI, nor has, to the best of my knowledge,
any other browser. While we heard that Apple updated their UI in June of
2018, Google simply moved how it treats EV information into a more cohesive
UI surface that's better aligned with user security. It sounds like Mozilla
Firefox has also adopted similar changes. However, all three browsers still
support EV, and still display UI, so statements like "eliminated the EV UI"
are simply factually wrong.


> When it comes to discussion of corporate registry validation rules for EV
> certificates, I think CAs are more interested in the views and opinions of
> browsers who support EV and website identity instead of those who don’t.
>

Perhaps it's not how you intended to come across, but it does sound as if
you're explicitly not interested in developing standards that can be used
by a wide variety of consumers. I would think that, regardless of any
disagreements about UI surface, we might agree on the need for consistent
results among all CAs, and that all certificates - whether DV, OV, or EV -
have identical levels of assurance, regardless of the CA that issued it.
After all, that's the core activity of the Forum.

Of course, if there's no interest from CAs in developing fair, neutral, and
consistent standards, I suppose it would be inevitable that the 'standards'
that are developed, but lead to wildly inconsistent results, would be
ignored or rejected by industry. After all, if the product isn't valuable
to those who would potentially use it, it doesn't seem a worthwhile product.

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191205/def494cb/attachment.html>


More information about the Servercert-wg mailing list