Duane wrote (quoting me):
I would propose that when viewing a web site with a low assurance root CA,
some kind of large ugly icon be displayed in the chrome, with a "tool tip"
that says something like "This web site may or may not be who they say".
I don't think this is possible at all, how can a web browser determine
the type of use a site has? Does it look for the word "visa" and reject
it if it's low trust?
As proposed, type of use is not a factor for the software. The proposal
says that the display would be solely a function of the level of assurance/
trust that mozilla.org and/or the user decided to bestow on the root CA.
The idea is that if the user sees the ugly icon (or flashing red chrome,
or whatever the UI experts decide) at the same time that he's looking at
(say) his bank's online website login page, he'll think twice. On the
other hand, if he's just surfing around, looking at, uh, pretty pictures,
then he won't care.
The essence of this proposal is that we show the user an indication of
the level of trust that he has bestowed on the root CA for the page he's
presently viewing. In case he doesn't know what the icon or flashing red
chrome (or whatever) means, I suggest there be a "tool tip" that explains
it in terms that will mean something to the average user. Saying
"The root CA who issued this cert has low assurance" will mean nothing to
Joe Beercan.
I expected to be called a heretic for this proposal by some of my
coworkers on NSS/PSM, some of whom have previously expressed the view that
there is no point to multiple levels of CA security. They might say it
as "if you're going to tell the user that the security is dubious, then
why bother to claim its secure at all?" I have no good answer to that.
They probably just haven't read this proposal yet. :)
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
