Duane wrote:
Heikki Toivonen wrote:
I haven't yet read the EV draft fully to see how closely it matches my
expectations, but commentary from other people seems to indicate it is
reasonable (barring some bugs and clarifications). I believe it will
improve the situation. I know it won't be 100% foolproof, but then again
I don't think anything can be.
How can it be considered reasonable if the number of businesses using EV
certificates will be relatively low? shouldn't Mozilla and other
interested parties that are supposed to be looking out for their users
actually be doing something that will work for all sites? Having a big
bank account doesn't equate to trust, look at the Enrons of the world.
Number of businesses != number of transactions, as I've pointed out
earlier. And you need to produce some evidence for your assertion that
very few businesses will want EV. That depends on a number of factors -
price, difficulty of obtaining one, and the publicity campaign
surrounding it. The latter is pretty important. If banks, browser
makers, CAs, consumer advocacy groups and online shops are all saying
"Look for the green bar", we can a) persuade users to look for it, and
b) persuade merchants to want it.
We can't have such a campaign around the lock because there's no
standard behind it; it would be building on sand. But if we have
something with a standard, which can be improved and reinforced if holes
are found, we have a rock on which to build a campaign to improve public
safety on the net.
And no matter what Gerv says, the crux of the issue is this is all about
monetary barriers to entry because all it takes is enough money and any
of the barriers thought thus far up can be over come.
Of course they can. But no jeweller buys a $10,000 diamond for $100,000.
If it costs more to get over the barriers than you can reap from the
resulting phishing expedition, criminals won't bother. They are
businesses, just the same as Amazon or Google. They are looking to turn
a profit too.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
