Gervase Markham wrote:
Ben Bucksch wrote:
OK. My thought is that we don't have many chances to push things like
that and have users consider it. If we make them aware of it, it
better be bulletproof, or we should not bother them with it, just
treat it as little better SSL cert, no special treatment.
You're absolutely right. Educating users is an enormous effort. That's
why I think whatever UI we choose (green bar, not green bar, whatever)
should be decoupled from the underlying enabling technology (EV,
DNSSec, phishing blacklist, whatever) we use to run it. That way, we
only have to educate users once.
One more comment. I don't know whether you think that solves it. It does
not.
Even if we have generic UI (like green bar), it does not help us, if we
have nothing to back it up. We should not show "Good" unless we're sure
the site is *trustworthy* - not just verified address/identity, not on
blacklist, etc., but really a site that we can recommend.
Or in other words: If EV is not bulletproof, it adds nothing, and does
not add anything. If we show it, and the checks were not performed
properly by the CA, and the CA disclaims liability, the users will be
mad at us or the Internet as a whole.
Similarly, if we show "green", "good" or whatever for PayPal, and PayPal
decides to freeze their account for no good reason (as they often do),
or their account gets robbed without their fault and PayPal does nothing
(as they always do), the user will understandably be *extremely* mad,
and we'll get part of the blame for showing "good", and the Internet as
a whole will be blamed. The fact that VeriSign verified the street
address of PayPal changes actually nothing.
So, unless we change the scope of CAs a lot, all that EV can give us, in
the way it's currently designed, is a verification of identity and
address, and all we can do is show that. That's actually what I'd like
to do, if we can make the displayed name meaningful and phishing-safe.
If not even *that* is reliable, we should not even show it. Which means
EV does not change anything in UI or for the user, all it does is making
CAs operate a little bit more like they should have from the beginning.
(But they'd still be below what I *expected* them to do for their money,
namely checking /beyond all doubts/ that the identity is correct, in the
way I proposed.)
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
