(From my personal point of view) I read Google’s paper[1]. For me, that paper’s result could be hypothesized like “some people do care about some information, which is written in EV but not in DV”.
That is… (A) If you click EV indicator, you will able to get more information about identity (compare to DV). (B) If you click page info without EV indicator, you usually only see DV cert’s identity information, which does not say much. (number of OV is far less than number of DV). Expected amount of information, from action (A) and (B) is very different, and expected information from (B) is small. So, even if there were someone who is aware of physical identity, He just do A) for best effort. #for me, it sounds more reasonable than “large size of the EV indicator draws accidental clicks” (3.2.2 of [1]). According to above thought, I feel like browser should (at least) differentiates -DV AND -OV or EV. Otherwise, people who do care about information on OV or EV would become tired of clicking page info of DV. #Do we just need identity on cyber space? I do not think many people would agree that. [1] The Web’s Identity Crisis:Understanding the Effectiveness of Website Identity Indicators, https://storage.googleapis.com/pub-tools-public-publication-data/pdf/400599205ab5a1c9efa03e2a7c127eb8200bf288.pdf _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
