fwiw, an EV cert is not "more secure" than a domain-validated (DV) certificate -- it's more strongly validated as being tied to a real-world entity.  That is, it is more tightly bound to a legal corporation, organization, or individual, in a specific geopolitical jurisdiction.

The goal of alternate UX for EV certs should be to display that real-world (legal-world?) identity binding to the user, not to convince the user that the party on the other end of the TLS connection is somehow better at handling sensitive data.

Note that the browsers that support EV certificates do not necessarily support EV certificates from any CA in the browser's root store.  Since the validity of the EV material (org name and location info) in an X.509 certificate is only itself as reliable as the certifier itself, CAs should need to demonstrate the ability to actually verify this sort information before the browser willingly relies on that signal.

If a browser encounters an EV certificate from a CA that it has no reason to believe is capable of actually verifying EV material, it should treat that certificate exactly like a DV certificate.

This is a mass NEEDINFO of all Epiphany bugs with no activity in the past three years. I'm going to be automatically closing old bugs to help us focus on current problems. If you feel this bug is still relevant with Epiphany 3.26 or newer, then please leave any comment here so that I know not to close this one.

This is a mass-close of old bugs currently in the NEEDINFO state.

If you think this bug is still relevant, please leave a comment.

This feature was removed from Firefox and Chrome, see https://www.feistyduck.com/bulletproof-tls-newsletter/issue_56_firefox_and_chrome_will_remove_gui_indicator_for_extended_validation_certificates for details.