[Servercert-wg] [EXTERNAL]Re: Clarification about EVG 9.2.4

Thu Dec 5 15:00:03 MST 2019

On Thu, Dec 5, 2019 at 4:50 PM Kirk Hall <Kirk.Hall at entrustdatacard.com>
wrote:

> For you to assert that removing the Chrome EV UI and all EV identity
> information from the address bar (confirmed organization name and country)
> to an inside page constitutes “support” for EV is laughable.  Even your
> close allies think Chrome’s move means the end of EV certificates:
>
>
>
>
> https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/
>
>
>
> The writing might have been on the wall a year ago, but the death warrant
> is now well and truly inked with both Chrome and Firefox killing it stone
> cold dead. Here's the Google announcement
> <https://groups.google.com/a/chromium.org/forum/m/#!msg/security-dev/h1bTcoTpfeI/jUTk1z7VAAAJ>
> :
>
>
>
> *On HTTPS websites using EV certificates, Chrome currently displays an EV
> badge to the left of the URL bar. Starting in Version 77, Chrome will move
> this UI to Page Info, which is accessed by clicking the lock icon.*
>
>
>
> (By the way, Mr. Hunt is incorrect in saying the EV UI has been removed
> from Safari – it’s still there.)
>

Kirk,

Again, I would request you stop misrepresenting things, especially when
you're continuing to quote things that show you are not true nor correct.

You recognize that Safari showing different treatment for EV in the UI
constitutes "EV UI", which shows even less information than Chrome does,
and yet when Chrome treats EV certificates differently in the UI, you claim
that's not EV UI.

Regardless of your view of definitions, you're simply spreading false
information, which, having been repeatedly corrected, can't help but seem
like intentional disinformation. I appreciate, at least, that you're
including the links that show you're deeply confused on the matter, and
allowing folks to see for themselves how far from the truth your statements
are.

Again, in the spirit of finding something productive, which you appear
committed to being disruptive and hostile for no purpose, I hope that we
can agree that for EV certificates to be valuable, we must have a standard
that ensures consistency among CAs, that ensures information is
consistently validated, and is useful. We're trying to work with CAs to
ensure there's clear, consistent, relevant guidelines for validating
information, in order to ensure that EV can be useful to browsers and our
users. Regardless of your views of our UI, which are entirely orthogonal
and an inappropriate non-sequitor, rejecting feedback from industry
experience, based on the real issues being faced, simply because you don't
like who says it or what they do, is simply not productive.

Perhaps it was your intent to disrupt the conversation by the
non-sequitor into UI, but I do hope we can move back, in a spirit of
comity, into productively discussing how to ensure EV information is useful
and reliable. You still have not replied as to whether you share our goal
of ensuring there are consistent validation standards, that can be readily
adopted and without ambiguity, and which ensures true interoperability. If
you do share that goal, perhaps we can focus on how to make that happen,
using the learned experience from the entire industry, recognizing the
challenges we have in front of us, and have a more productive discussion,
avoiding the needless misrepresentations and sniping.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191205/0d49db95/attachment.html>