You're welcome. Been thinking about it for a few days, and I had to do it. I don't disagree there's some benefits but being told "IT'S BETTER!" annoyed me quite a bit.
This is a really nice tool. But the fundamental reason most go for print is because its right there and that wins over other UX improvements or machinery. Python is a language where you can get a reasonably good debugger with a single line almost anywhere, still people reach for print()
It's still a separate factory making separate drives. This line even uses a different storage controller. But this is also true for luxury ranges, in general, so you may be asking for too fine of a distinction. (Their usual luxury range is the WD Red, however.)
That's the central problem, isn't it? Technology only gets more complicated, and we have never bothered much about giving general population effective tools and skills to make informed decisions for themselves.
A well-known company vouches for something, and that's all I'd know if I was buying a ring device.
I don't have any solutions to your last statement, but one of the problem is that legal name of the entity matching doesn't really mean its the same entiy you think it is - the example ( also in the original page): https://stripe.ian.sh/
When I visit that page I don't see an EV banner in my Chrome, version 76.0.3809.100. It seems like I'm meant to according to the document?
Edit: I see, it says it was revoked. Well that makes sense:
> Edit (April 29th, 2018): This site no longer uses an EV certificate. Comodo arbitrarily revoked — without any notice — the first certificate, saying this site was made with the intent to mislead. GoDaddy issued us a new one on 04/11/2018, but revoked it later that day, stating that the site was fraudulent.
So OBVIOUSLY the CAs are trying (maybe not as hard as we'd hope) to make sure EV is used responsibly, so why kill EV? Why not just improve the process a little bit more to make it unlikely to give an EV cert that clearly intends to mislead?
> It is notable that neither company believes they mis-issued the certificate.
What? They clearly revoked both and specified the reason, so does that not make the mis-issuance implicit?
Comodo has told me that they would give me a new certificate if I wanted. Unfortunately, tax complications in Kentucky mean the legal entity no longer exists. Feel free to replicate it, though :)
The definition of "mis-issuance" has some contention, but generally it means that the guidelines for issuing the certificate were violated (Baseline Requirements, EVGLs, etc). No guidelines/policies were violated for those certificates.
Corporate name collisions are not a problem that EV was intended to solve.
The point of an EV is that it ties TLS authentication back to a legal identity. Ian even helpfully points out that that the two "Stripe" companies, his and the famous payment company, have different corporate filings. He even links to them!
I would argue that this demonstrates, not disproves, the value of EV. A DV cert would not be traceable to any corporate filing at all.
> The point of an EV is that it ties TLS authentication back to a legal identity. Ian even helpfully points out that that the two "Stripe" companies, his and the famous payment company, have different corporate filings. He even links to them!
But that doesn't matter. The whole point of EV was that users would see the name in the address bar and trust it. If the model requires users to click through and read the details of the corporate filings, then EV was already a failure before it began.
> The whole point of EV was that users would see the name in the address bar and trust it.
This is not the point of EV. That's what I'm trying to say here.
It's obvious this would never be 100% reliable because sometimes the corporation has a different (lesser known) name from the popular product, and sometimes company names are similar.
The idea that EV only works if consumers 100% recognize and trust every possible green name is a strawman that was propped up to be knocked down.
But it literally is the selling point. If customers aren't expected to see the green text in the status bar and implicitly trust it, then EV has no value whatsoever. Because 0.00000001% of people will actually click through to see anything past the company name. Hell, I don't even have the slightest clue how to see the corporate filings. When I click through to see chase.com's certificate all I know is it's a company "JPMorgan Chase and Co." in NYC and it was issued by something called "Entrust, Inc."
Self plug: I wrote https://github.com/dbalan/idid to do more or less the same thing when my did file needed a bit more structure (also an excuse to write some haskell).
