Gervase Markham wrote:
But the more levels we have, the more work it is for us and the CAs to
classify certificates and products. If this distinction is not reflected
in the UI, that work is wasted.
I didn't suggest that it's not reflected in the UI. Just that it's not the only
thing reflected in the UI. And as a result, the same UI can get used for
different certificate levels, depending on what else you know about the site.
I think there's a strong level of absolutism here. That is to say, if a
certain level of vetting is sufficient for a web shop, then it's
sufficient. The level below doesn't magically become sufficient just
because someone else is distributing the browser.
It might if the someone else has other out-of-band information. Please repeat
after Beltzner: "There's more to making a decision than the information in the
certificate".
Yes, of course. But isn't it obvious what I meant?
Apparently not?
For example, my mother is considering using her credit card at a
shop, and the UI presents all those indicators consistent with a level 2
certificate, and none of those consistent with a level 3 certificate.
What message is she supposed to get?
Good question! That's something to keep in mind when deciding on the levels and
the UI, of course. I won't pretend that I have an answer here.
Or to put it another way, if I'm a shop, can I get a level 2 certificate
and be fairly sure that browsers won't discourage people from shopping
with me?
I think the answer is "maybe". For example, if the browser maker reads in the
news that your shop has been convicted of selling customer information, they
might want to think about discouraging people from shopping with you no matter
what level certificate you have.
It's tough for the shop, for sure.... But I don't have a better answer to your
question yet. An answer would be the policy of the browser maker in question,
whatever that is.
-Boris
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
