OK. Well, both are required. The Logo that the user selects *and* the logo for the CA. Ideally, the logo for the CA should be encoded into the Cert / signed by it. This limits a false cert attack to the site's cert supplier, and thus paves the way to force the CAs to start checking who they are issuing the certs to.
For the CAs it means that users will start to recognise the various CAs. This is no difficulty as they already recognise the existance of Ford, Intel, Nokia, Virgin, ....
"No difficulty"? You don't see any difference between the Virgin brand and the Verisign brand? Do you really think users have the brain space to remember and understand 20 different CA brands, and make judgements based on that understanding?
Also, even if they do, they have no choice. A particular shop is only protected by a cert from one company. It's trust that company, or shop somewhere else. Those are the only options. And we are not in a million years going to persuade users, if they've found a product they like, to leave that shop and find it somewhere else just because the CA has a slightly tarnished reputation.
I do have an alternative solution to that problem I'm thinking about; I'll post it soon.
This is the place! One of the things to realise about any of these suggestions is that we need some amount of experimentation to find the right subset.
See http://www.gerv.net/hacking/security/phishing.html .
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
