Duane wrote:
Eddy Nigg (StartCom Ltd.) wrote:
That's perhaps a question for the EV/Browser Forum... but since the
subscriber is supposed to get validated extensively, he would not dare
to try something like this.
This merely raises the cost of doing business for "the bad guys", it
doesn't prevent or deter things,
The second half of your sentence contradicts the first. If the cost of
doing business is raised, it will deter. The higher the raise, the
greater the deterrent.
since ID theft and ID fraud and plain
old fake ID documents are rampant, basing a strong system around a weak
one (ID documents) won't fix the problem, just cull the stupid.
Have you actually read the draft? This is not a "fax in your letterhead"
system.
Although as you pointed out, most phishing/fraud attacks don't even
bother with SSL certificates so this isn't going to prevent much until
the population can be educated (good luck with that) or shown how to
tell better (pet name tool bars etc) that something is up with the site
they are visiting.
Don't "pet name tool bars etc" require education to use also?
A potential advantage of EV if all the browsers adopt it is that
browsers, CAs, financial and other secure sites and consumer advocacy
groups can have a single, simple consistent message for users. This
makes it more likely that they'll actually pay attention.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
