On Fri, Dec 15, 2017 at 02:38:09PM -0800, Matthew Hardeman via dev-security-policy wrote: > On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote: > > Removing it will make some users sad. Those users are relying upon the UI > > to guarantee the things the UI does not guarantee. Removing it will feel > > like a guarantee has been removed. The guarantee never existed, so the > > guarantee is not being removed. > > Except it sort of does guarantee, with reasonable limitations. That > Stripe, Inc. [US] certificate that Ian got doesn't include a domain label > for stripe.com, does it? The real stripe's web address is well known and > obvious. This EV presentation may confuse, but it does not inspire > confidence.
If the user's checking the domain name, and can do so (either through their own knowledge and skills, or via the browser's UI affordances) to a sufficient degree that they can reliably identify that the "Stripe, Inc. [US]" EV UI element doesn't equate to the "Stripe, Inc. [US]" they expected to be communicating with... why do they need the EV UI? They can just check the domain instead. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
