Eddy Nigg (StartCom Ltd.) wrote: > Gervase Markham wrote: > For example: _16. Verification of Applicant’s Physical Existence_ might > be problematic, specially a visit at the premise from the CA point of view.
I actually want the CA to do this check on my behalf. There may be ways for the CAs to give this task to some local agent to lower the travel costs. In any case, I would expect the applicant to reimburse the costs to the CA. It certainly makes the certification more expensive, but I don't see any ways around that. > Yes! A new idea for this would be, on a first visit at an SSL enabled > site to present the user with a window with important and informative > details. Not a warning popup, but a friendly message, displaying the > most critical information the CA has bothered to include in the > certificate. Otherwise why should a CA bother to include this and other > information, if you have to click through 5 buttons in order to get a > clue about the subscriber. This is currently specially ridiculous, > because so much weight is put on the subject line (including EV), when > the average user, who after all knows how to handle a mouse, never ever > will actually see it! Think about it! I am somewhat wary of first-time-only messages, as they are so easily bypassed/forgotten. I certainly like to see more information, but I don't know how/where that information should be presented, nor am I sure how much should be presented. I think I'd like the full name and address (physical and web), with a country flag, to be at least partially visible all the time. >> I suggest that there's only really one level - "safe for my credit >> card number". > No! Because YOU can't decide what's safe for ME and any other user. I think we have to agree to disagree on that. I agree with Gerv that multiple levels (or no levels at all but presenting the user with all the information for them to effectively make up their own levels) is too hard on the users. We (CAs, browser vendors) need to agree on a level that we think most users will find acceptable for all purposes. Still, I would like it if the full certificate information was also available in a more readable format and with fewer mouse clicks than currently. One idea that I had, but probably isn't feasible, was to have an SSL information bar (like the popup blocker) on SSL (or maybe just EV) sites that would have the company name and address with country flag, and an advanced button which would display all of the certificate information. Additional indicators could still be the green bar, with domain name bolded, the padlock, etc. The obvious problem here is that company name and address can be really long and not fit... -- Heikki Toivonen _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
