Hi Grev and everybody else. I try again to summarize the various replies from you and as promised make some suggestions. This will be a somewhat lengthy reply because of this. Sorry for this!
Gervase Markham wrote: >> As someone else pointed out, Mozilla should lead, not follow. That's the >> reason for our proposal...And what if Microsoft follows the lead of >> Mozilla thereafter? > > But we should only lead where we think a particular innovation is > actually better. We should not be different just for the sake of being > different. I absolutely agree with you! I really think, there is a chance to make certain things actually better. >> What did I say? > > To rephrase him: "You are speaking as if standards have no value, and > are all just useless pieces of paper." Oh no, absolutely not! Standards are good, but it mostly depends on the purpose and the problem the standard is solving. > >> I don't know, but because of market share giving a certain CA a green >> card is the wrong message perhaps! > > So you would be happy for your own CA to be held to a 100% correct > issuance standard? That is, if you issued one certificate incorrectly, > you would be immediately and permanently removed from all browsers > everywhere? No! But you don't answer on what I said...did you realize what you actually proposed? Sincerely? You actually suggested, that StartCom (or other smaller CA's) could be kicked out for a mistake, but Verisign will stay there, no matter what, because of market share. Except that, the StartCom CA strifes for 100 % adherence to the CA policy (which is the promise we give to the subscriber and relying party) and beyond! > >> For example Mozillas own CA policy would be a good start. > > No, I mean particular alternative audit scheme (such as ETSI). Did you > have one in mind? There can be various audit schemes, however I would like to see alternatives to the WebTrust auditors which is in my opinion an expensive monopoly. There are valuable alternatives and perhaps definitions available, which would create also some competition in this field! > > I don't understand what you are asking for here. The insurance > requirements apply only to EV. So it's irrelevant how many certs of > any other type the CA issues. And you need the same level of insurance > whether you are issuing 1 EV cert or 10,000. However, your premium may > be different if you issue more, I don't know. I understood, that this is for EV only. Based on the knowledge we have (for example how much we pay for our insurance), it might be quite expensive (of course a relative term). We'd like to see a way to lower that cost perhaps. > >> Overhead operational costs and requirements such as physical check of >> the premise will make this type of certification certainly expensive, so >> expensive is a relative term...Additionally many businesses will have >> difficulties complying to every criteria. > > Which criteria do you think are particularly difficult, and how would > you change them? For example: _16. Verification of Applicant’s Physical Existence_ might be problematic, specially a visit at the premise from the CA point of view. > > > Additionally, one reason why phishers haven't been using SSL is > because browser makers and others aren't screaming "look for the > lock"; and the reason they aren't doing that is because they know > phishers will then start getting domain-validated certs and we'll be > no further forward. > > If we are going to try and educate the public to look for a trust > indicator, we need a trust indicator which is worthy of the name. Which in your opinion a green address bar is? > Alaric Dailey wrote: >> and we aren't talking about "Jumping to" because MS and Verisign >> invented this new type of cert? > > No, they didn't. It was invented by a consortium of CAs and major > browser vendors. > >> And aren't "High Assurance" certificates (as they exist now from >> places like Comodo) supposed to be doing the same thing? > > Supposedly. However, as Comodo won't tell you exactly what they do to > make it "High Assurance", you can't tell. Can Melih from Comodo speak up on this? >> This depends on the level of risk involved! Enough and not enough is not >> something general, whereas enough for A, might be not enough for >> performing B and otherwise. We suggest to give an indication HOW >> rigorous a subscriber was verified. According to this indications a >> relying party can make a proper decision if to proceed. > > Can you talk me through the thought processes of someone trying to > make that decision, if the UI is as you state? Yes! A new idea for this would be, on a first visit at an SSL enabled site to present the user with a window with important and informative details. Not a warning popup, but a friendly message, displaying the most critical information the CA has bothered to include in the certificate. Otherwise why should a CA bother to include this and other information, if you have to click through 5 buttons in order to get a clue about the subscriber. This is currently specially ridiculous, because so much weight is put on the subject line (including EV), when the average user, who after all knows how to handle a mouse, never ever will actually see it! Think about it! > > "OK, that's a purple bar. Now purple is one step above white and one > below green. That means, let me think, it's OK for me to make > purchases up to $500, as long as I use a credit card with payment > protection, but it's probably not safe for my debit card." I'm not necessary promoting different colors at all! Actually I'd prefer to supply the information, the user needs to know in an equal way, being it for domain validated or EV and everything in between. Yellow has served us well and people got used to it in addition to the small padlock in the address and status bar. However the needed information, in order to make a decision, is buried far away, not readily available! This is my point here! > I suggest that there's only really one level - "safe for my credit > card number". No! Because YOU can't decide what's safe for ME and any other user. Otherwise if this is what you are saying, I can sue YOU, if you are going to take the decision for ME and something happens! YOU (the browser vendor) should display the relevant information the CA has bothered to include in a digital certificate, in order to allow ME make a decision what to do with the information I received. > > I completely disagree that we should focus on how to give the *most* > information to the user. *Best*, certainly. Agreed! Actually there is not so much information included in a digital certificate anyway, so MOST in this case might be also BEST. However this is minor issue, once we agree, that information has to be displayed, instead of painting nice colors! >> Because valuable information is included in a digital certificates, such >> as details about the subscriber, issuer and additional notes of the CA. >> Displaying this information might help to prevent user mistakes and >> provide indication about the certificates policy etc. > > Given that we have difficulty educating users even to look for a > padlock (although admittedly this has not been pushed hard, at least > by us, due to the lack of a standard underlying the padlock), I > suggest that presenting more information is not going to help. Of course it will! Just by showing the domain name, organization, locality, state, country and additional notes the CA has included in the subject line, will help the user and draw attention to it. He might perhaps receive a pretty good initial indication, if he wants to make business with this side. Otherwise why include this information in the first place, if you are going to hide it away!? I didn't say overloaded information, but currently the Firefox browser isn't providing ANY information. What does it help to popup "Authenticated by StartCom Ltd." when hovering over the padlock! Does the casual user know, who StartCom is? Or Comodo? Or Geotrust? Or... I want to know who the site operator is, in which country and city he is registered in. What's he's official name and at last, what kind of verification he has undergone! This is the important information, not "Authenticated by...." > > Usability suggests that we need to present the minimum information > necessary for the user to make the decision at hand. The decision we > are thinking about is "can I put my credit card number into this > site?". This is a yes/no question, and so a yes/no indicator is most > appropriate. _Most users do not have the understanding or tools to > make this decision based on raw certificate data._ > Exactly! That's why I'm promoting a much better way of displaying the certificate and issuer details! BTW, EV status might be part of this information... > Duane wrote: >> As usually I've come to the conclusion that mozilla reps are asking for >> feedback, but don't really care for answers as their minds are either >> made up, or just don't care. > > I certainly care for answers. Of course, I'm not going to be the one > doing the implementing; I suspect that the decision will be taken by > Dan Veditz (security) and Mike Beltzner (UI), in consultation with others. Huuu? So why are the decision makers not involved in this discussion? I mean, we spend time and effort in order to help and shape an important part of a security related component (mainly policy wise), if after all any of our inputs aren't being considered seriously?!? Can you clarify the decision making process and use of this thread perhaps? -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
