[Servercert-wg] [EXTERNAL]Re: Clarification about EVG 9.2.4

Thu Dec 5 17:17:54 MST 2019

No disruption intended, Ryan.  I am just suggesting that Google has essentially disqualified itself for any useful ideas on EV certificates and validation by removing the Chrome EV UI.  To me, here is a fitting analogy: A mayor of a town suddenly takes down all the street signs because he thinks they don’t help drivers find their destinations.  Then he shows up at the next street sign manufacturing standards committee with lots of ideas for how street signs should be made…  What’s wrong with this picture?

I have received the following references to other articles that demonstrate that it doesn’t really matter what Google thinks about its actions in removing the EV UI from Chrome. Journalists and experts believe EV is gone.

Extended Validation Certificates are (Really, Really) Dead
https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/

Extended Validation Certificates are Dead
https://www.troyhunt.com/extended-validation-certificates-are-dead/

Chrome and Firefox Changes Spark the End of EV Certificates
https://www.bleepingcomputer.com/news/software/chrome-and-firefox-changes-spark-the-end-of-ev-certificates/

Chrome 77 Released With Removed EV Certificate Indicator
https://www.bleepingcomputer.com/news/google/chrome-77-released-with-removed-ev-certificate-indicator/

Google to bury indicator for Extended Validation certs in Chrome because users barely took notice. Not working as intended, says browser security team. The next version of Google's Chrome web browser, 77, will not indicate whether a site has an EV (Extended Validation) certificate unless the user drills down into the Page Info dialogue.
https://www.theregister.co.uk/2019/08/12/google_chrome_extended_validation_certificates/

EV UI Moving to Page Info
https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md

CHROME AND FIREFOX REMOVING EV CERTIFICATE INDICATORS
https://duo.com/decipher/chrome-and-firefox-removing-ev-certificate-indicators

Chrome bumps ineffective EV certificates off the omnibar
https://nakedsecurity.sophos.com/2019/09/10/chrome-bumps-ineffective-ev-certificates-off-the-omnibar/

Chrome, Firefox to expunge Extended Validation cert signals
https://www.computerworld.com/article/3431667/chrome-firefox-to-expunge-extended-validation-cert-signals.html

Chrome 77 released with no EV indicators, contact picker, permanent Guest Mode
https://www.zdnet.com/article/chrome-77-released-with-no-ev-indicators-contact-picker-permanent-guest-mode/

Chrome 77 fixes 52 security flaws, removes 'ineffective' green bar EV SSL indicators
https://www.cso.com.au/article/666328/chrome-77-fixes-52-security-flaws-removes-ineffective-green-bar-ev-ssl-indicators/

From: Ryan Sleevi <sleevi at google.com>
Sent: Thursday, December 5, 2019 2:00 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [EXTERNAL]Re: [Servercert-wg] Clarification about EVG 9.2.4

On Thu, Dec 5, 2019 at 4:50 PM Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:
For you to assert that removing the Chrome EV UI and all EV identity information from the address bar (confirmed organization name and country) to an inside page constitutes “support” for EV is laughable.  Even your close allies think Chrome’s move means the end of EV certificates:

https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/

The writing might have been on the wall a year ago, but the death warrant is now well and truly inked with both Chrome and Firefox killing it stone cold dead. Here's the Google announcement<https://groups.google.com/a/chromium.org/forum/m/#!msg/security-dev/h1bTcoTpfeI/jUTk1z7VAAAJ>:

On HTTPS websites using EV certificates, Chrome currently displays an EV badge to the left of the URL bar. Starting in Version 77, Chrome will move this UI to Page Info, which is accessed by clicking the lock icon.

(By the way, Mr. Hunt is incorrect in saying the EV UI has been removed from Safari – it’s still there.)

Kirk,

Again, I would request you stop misrepresenting things, especially when you're continuing to quote things that show you are not true nor correct.

You recognize that Safari showing different treatment for EV in the UI constitutes "EV UI", which shows even less information than Chrome does, and yet when Chrome treats EV certificates differently in the UI, you claim that's not EV UI.

Regardless of your view of definitions, you're simply spreading false information, which, having been repeatedly corrected, can't help but seem like intentional disinformation. I appreciate, at least, that you're including the links that show you're deeply confused on the matter, and allowing folks to see for themselves how far from the truth your statements are.

Again, in the spirit of finding something productive, which you appear committed to being disruptive and hostile for no purpose, I hope that we can agree that for EV certificates to be valuable, we must have a standard that ensures consistency among CAs, that ensures information is consistently validated, and is useful. We're trying to work with CAs to ensure there's clear, consistent, relevant guidelines for validating information, in order to ensure that EV can be useful to browsers and our users. Regardless of your views of our UI, which are entirely orthogonal and an inappropriate non-sequitor, rejecting feedback from industry experience, based on the real issues being faced, simply because you don't like who says it or what they do, is simply not productive.

Perhaps it was your intent to disrupt the conversation by the non-sequitor into UI, but I do hope we can move back, in a spirit of comity, into productively discussing how to ensure EV information is useful and reliable. You still have not replied as to whether you share our goal of ensuring there are consistent validation standards, that can be readily adopted and without ambiguity, and which ensures true interoperability. If you do share that goal, perhaps we can focus on how to make that happen, using the learned experience from the entire industry, recognizing the challenges we have in front of us, and have a more productive discussion, avoiding the needless misrepresentations and sniping.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20191206/788da446/attachment-0001.html>