I propose to more actively involve users into the process of accepting certificates for domains.
I envision a UI where users are required to approve once, whether the
combination of a CA and a domain is acceptable to the user.
The following UI would be shown whenever a user starts a connection to a
secure site, and the site uses a CA that has not yet been approved for
the respective domain (or if the uses a fresh computer or a fresh
browser profile).
The following UI would only be shown, if the certificate can otherwise
be correctly chained up to a trusted CA - the scenario that we currently
allow to proceed automatically.
Inline comments regarding the UI are wrapped using <<< >>>.
======[begin UI]======
You are trying to open a secure connection to a remote site:
www.my-bank.xy
A connection can be secure, if the remote site can proof to be the
legitimate owner of the site.
The remote site claims to be:
Organization = My Bank
Name = www.my-bank.xy
Locality = My City, Counry = XY
[view complete site certificate]
The site presented a certificate from this Certificate Authority (CA):
Organization = "A trustworthy CA"
Organizational Unit = Class n Certification Authority
Country = XY
[view complete CA certificate]
<<<for domain validation certs>>>
The CA claims to have verified that an owner of the domain is operating
the remote site.
<<<for extended validation certs>>>
The CA claims to have verified the identity of the operator of the
remote site, based on business registration documents, to be the
registered owner of the site.
Do you trust the Certificate Authority to have correctly verified the
remote site, and that the verification is sufficient for your security
needs?
<<<user must make a choice, or the connection won't proceed>>>
( ) yes, for all sites in top level domain “.xy”
( ) yes, for all sites in domain “my-bank.xy”
( ) yes, for all sites in domain “www.my-bank.xy”
(*) no, don't connect
[ remember choice and continue ]
<<<the system will remember the selected association of {CA, domain}>>>
<<<future, different combinations of {CA, domain} will require anther
confirmation>>>
======[end of UI]======
Crossposted to dev-security.
Please follow-up to dev-tech-crypto@lists.mozilla.org
Thanks and Regards,
Kai
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
