[Servercert-wg] [EXTERNAL]Re: Clarification about EVG 9.2.4

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Dec 5 12:20:15 MST 2019

It’s interesting to hear you say that Chrome did not remove the EV UI – you did:

“Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended (see Further Reading below). Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection,” Google said<https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md>.

“Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.”

Google is hostile generally to including identity information in certificates, and is trying to prevent CAs from adding Legal Entity Identifiers (LEIs), www.gleif.org<http://www.gleif.org> upon threat of distrusting any EV certificate that includes a verified LEI, or even distrusting the CA’s own roots.

So at this point, Google has no real legitimacy in any discussion of the EV Guideline rules for confirming corporate registration data that goes into certificates.

From: Ryan Sleevi <sleevi at google.com>
Sent: Thursday, December 5, 2019 11:12 AM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [EXTERNAL]Re: [Servercert-wg] Clarification about EVG 9.2.4

On Thu, Dec 5, 2019 at 1:57 PM Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:
So… Google eliminated the EV UI in Chrome in September, and you have stated for years that EV identity information is of no value in user security.  So why are you trying to tell CAs what EV corporate registry data sources they should use when issuing EV certificates?  What’s your interest?


I'm afraid you're confused again, and may be unintentionally grossly misrepresenting things.

Chrome has not eliminated the EV UI, nor has, to the best of my knowledge, any other browser. While we heard that Apple updated their UI in June of 2018, Google simply moved how it treats EV information into a more cohesive UI surface that's better aligned with user security. It sounds like Mozilla Firefox has also adopted similar changes. However, all three browsers still support EV, and still display UI, so statements like "eliminated the EV UI" are simply factually wrong.

When it comes to discussion of corporate registry validation rules for EV certificates, I think CAs are more interested in the views and opinions of browsers who support EV and website identity instead of those who don’t.

Perhaps it's not how you intended to come across, but it does sound as if you're explicitly not interested in developing standards that can be used by a wide variety of consumers. I would think that, regardless of any disagreements about UI surface, we might agree on the need for consistent results among all CAs, and that all certificates - whether DV, OV, or EV - have identical levels of assurance, regardless of the CA that issued it. After all, that's the core activity of the Forum.

Of course, if there's no interest from CAs in developing fair, neutral, and consistent standards, I suppose it would be inevitable that the 'standards' that are developed, but lead to wildly inconsistent results, would be ignored or rejected by industry. After all, if the product isn't valuable to those who would potentially use it, it doesn't seem a worthwhile product.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191205/5f4fbb98/attachment.html>

More information about the Servercert-wg mailing list