Howdy all,
First of all I'd like to thank all the contributors to this thread, but
particularly Eddy for starting it, and Gerv, Ben and Nelson for
alternately acting as supporters and foils. As someone new to Mozilla
(the company that is, I'm quite familiar with the app, of course) it is
quite helpful to have these conversations to peruse while I familiarize
myself with the lay of the land here.
I'm going to offer some preliminary thoughts here, based on what I've
read, and based on where my particular areas of focus lie (namely, if
and how the UI will present these debates to our users,) but I want to
emphasize that at this point in the game *my mind is hardly made up*
and, even if it were, my wand is not yet so magical and my power not yet
so great that me saying something makes it law.
1. To a first approximation my sense is that, unsurprisingly, EV and
Eddy's proposal are trying to accomplish the same thing: strengthening
the internet's TLS/SSL certificate infrastructure to provide stronger
identity verification. If I could be so bold as to summarize this
entire thread in a sentence, I would say that basically all of these
electrons flying are trying to answer the question of which proposal
does a better job of verifying identity in a defensible way.
This isn't meant to be a controversial observation, so I hope we don't
get stuck here. My point is just that we're all trying to solve the
same basic problem (n.b. conversations about whether EV is just a profit
grab aren't really the point are they? The proposals are what they are,
if they suck, let them suck for technical reasons, not character
attacks. And if they're good, let them succeed on their merits.)
2. Eddy is noble in his attempts to avoid (for the moment, anyhow :)
the UI implications of his proposal, even though Gerv's right that it
has to eventually come back to that. If we put in all the 'plumbing' to
make this happen and do nothing in the UI whatsoever, the whole thing is
sort of a moot point - fun to argue but ultimately ineffective at making
our users safer. Beltzner's right when he says that more metadata is a
good thing, since it gives us, as browser builders, more potential
context to draw on, but again the implication is that someone's going to
potentially surface this stuff. So eventually, obviously, we have to
come back to the UI. I freely admit that this point might reflect my
own biases. :)
3. So what we really need to get clear on is this:
What information do our users want, need, and understand, when it comes
to safety on the web? And how much of that should be conveyed by CAs
through SSL Certs?
The second part is critical, because one thing I haven't seen reflected
much in this thread (for obvious reasons) is that a cert is not the only
source of info we have here. We have a user's browsing history ("Note:
this looks like your bank's site, but it's the first time you've ever
been to this url"), we have the anti-phishing blacklists, we have third
parties like resellerratings and bbbonline that bite off the piece CAs
don't want ("Yes, this site is trustworthy, their reputation as a
business is positive"). CAs are nonetheless critical in all of this
because more than any other group, they have the ability to do the kind
of validation that both EV and this proposal seek to provide, and that's
important information.
With this is mind, a proposal that imagines 4 (or 3, or 5) levels of
cert must tackle the UI question head on because, in an environment
where a richer level of detail is communicated to the user, those 4
categories have to be really relevant and distinct to provide a
meaningful contribution. As beltzner mentioned in his post, we can more
easily talk to a user about the difference between "Encrypted" and
"Encrypted + Identity Verified" than we can about the difference between
"Identity Verified" and "Identity better verified."
Imagine that we found a way to clearly present to the user:
+ Your connection is encrypted
+ The site's identity has been verified
+ You've been here many times before
+ This site is trusted by (your friends | bbbonline | other vendor
rating sites)
+ This site appears on no blacklists
Identity is a piece of online safety, but it isn't all of it, so my goal
in these discussions and others like them, is to arrive at an answer for
what the identity piece looks like, without losing sight of the fact
that it is only one piece of context.
4. I think Gerv was right on when he said that (I hope I'm not
misquoting him here) Mozilla would have no problem with there being two
strong standards for identity validation, EV and XYZ, and with
presenting them both using whatever "Identity is verified" UI we evolve.
I don't think we as an organization are tied to EV and EV alone.
Our goal is to create a safer environment for our users and when we
can't protect them actively (e.g. aggresive anti-phishing warnings) we
want to at least enable them to make good decisions. The acid test for
me, for any proposed standard like this, is whether it will help users
do that more successfully.
Once again though, I freely recognize my bias here, and welcome comment,
from those of you who survived the whole post.
Cheers,
Johnathan
--
Johnathan Nightingale
Human Shield
Mozilla Corporation
[EMAIL PROTECTED]
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
