Florian Weimer wrote:
* Amir Herzberg:
# Protecting (even) Na�ve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites, at http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/trusted%20credentials%20area.PDF
The trusted credentials area is an interesting concept.
Thanks. However,
experience suggests that given the current business models, we cannot build the required logotype registry. All registries which are used on the Internet (for IP address assignments, BGP prefixes, DNS names, and even X.509 certificates) are known to fail under stress.
I'm not sure what you mean by `logotype registry`. Such a registry already exist (off-web), i.e. national trademark offices, e.g. www.uspto.gov. These bodies could issue logo certificates. Or, private companies, e.g. verisign, can issue logo certificates, based on the official trademark registers; that shouldn't be hard.
As to a registry to hold these certificates - the site (e.g. bank) would probably keep it... and many other places (this is signed i.e. not risky to keep).
Finally, of course, until such certificates are available, we simply use the manual binding of logos/icons/names to public keys, on the first time you enter a secure site using a browser with our enchancement. It works great... very convenient, and very clear (see screen shots in paper).
--
Best regards,
Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography & security)
begin:vcard fn:Amir Herzberg n:Herzberg;Amir org:Bar Ilan University;Computer Science adr:;;;Ramat Gan ;;52900;Israel email;internet:[EMAIL PROTECTED] title:Associate Professor tel;work:+972-3-531-8863 tel;fax:+972-3-531-8863 x-mozilla-html:FALSE url:http://AmirHerzberg.com version:2.1 end:vcard
