Eddy Nigg (StartCom Ltd.) wrote: > For a starter try this: http://www.hecker.org/mozilla/ca-certificate-list > Next try the Authorities Certificate store of your Firefox browser > And at last, try uncle Google... > > BTW, it is common to place the CA policy in a prominent place on the CA > web site, after all, this is part of the legal contract between the CA - > subscriber and relying party. In theory a user (RP) should read the CA > policy of the issuing CA before trusting a certificate, otherwise how > should he know about the verifications performed or any other procedure > a CA promises? Obviously, this is not very practical, hence our > proposal for a simplified but improved UI change!
Thanks for the link, I knew about it but forgot... I'll scan some of the docs. My guess would be that some policies and practices documents do not describe things as detailed as the EV draft does, thereby leaving me with questions even after reading them. It is not very practical to require a user to read those specs, especially considering those policies can be written in any language. I have to disagree with you on some of your UI choices though. I think everything the user needs to make a decision about trusting a site needs to be visible by default. Requiring the user to mouse over a control gets tedious quickly even for people who know about it, and those that don't know may never discover it. Also, the more levels of trust/security there are, the more confusing it is for the user - hence I am in the camp of advocating as few levels as possible (I think we need 3 - no SSL, current SSL, EV). I haven't yet read the EV draft fully to see how closely it matches my expectations, but commentary from other people seems to indicate it is reasonable (barring some bugs and clarifications). I believe it will improve the situation. I know it won't be 100% foolproof, but then again I don't think anything can be. -- Heikki Toivonen _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
