Dan Mosedale wrote:
> [EMAIL PROTECTED] (Ben Bucksch) writes:
>
>> Bob Relyea wrote:
>>
>>
>>> Very little. We aren't allowed to make any value judgements on the quality
>>> of a CA's certification process, or we take on the certification liability.
>>
>> Outch. It was my assumption that the root CAs are very trusted and have
>> to meet hard requirements to ensure that.
>
>
> I suspect that most users are likely to make the same assumption that
> Ben did. I certainly would have if I didn't know better. Mitchell,
> are we totally stuck here, from a legal standpoint?
>
> Dan
Folks, this is why I keep insisting that we clearly tell the user
who is making the assertion about a web page or S/MIME user. We should
put the Issuer CN in the chrome (rather than in a tooltip) and in
the dialog box you get when you enter an HTTPS page (the one that
now uselessly tells you that you're about to visit a secure site).
We should do similar things for S/MIME.
-Bob
--
Bob Lord
Director, Security Engineering
Netscape Communications Corp.
http://www.mozilla.org/projects/security/pki/
http://people.netscape.com/lord/open-reqs.html
