Good, I'm glad you understand what is meant by branding. By forcing VeriSign to brand themselves like Virgin, they are laid bare to their trusting public. Who knows, maybe they will surprise us all.
You expect Verisign to start taking out brand-building ads based on a change we make to Firefox?
And if they do, do you expect any negative publicity they may get to trump the positive publicity from those ads, such that users have an overall negative assessment of the company?
Either way, right now, Mozilla is hiding the fact that Verisign is being used to create relationships that are falsely presented as trust. In fact, Firefox lies about it by saying that the user trusts this cert and/or provider.
The user trusts us (implicitly by downloading the software and running it), and we trust the provider.
Do you really think users have the brain space to remember and understand 20 different CA brands, and make judgements based on that understanding?
Do you really think MF should purport to make the decision that the user should trust 20 different CAs without a choice?
Absolutely. Because of all the people who could make that decision, we are the most qualified.
Yes, users can remember the brands needed. Huge
numbers of branding studies have shown the user
has a capability to deal with brands.
That second sentence does not imply the first.
The entire
western commerce system runs on it, and relies
on it to get bread to your door, petrol in your car,
your car itself, and beer at the end of the car
journey.
None of these things rely on branding, they rely on people manufacturing products, and them ending up in shops. I don't give a stuff what brand of petrol I get - it's all the same.
You've really bought the Nike vision, haven't you? The brand is all-important. :-)
Quick, how many beer brands do you know and recognised?
Are you suggesting that CAs will be taking out television adverts like beer brands? They aren't _selling_ anything to the general public.
And this is a security question, right? Tell me why it is that you trust Saunalahden? You do trust them, that's what Firefox has decided. Now, why is that?
Because mozilla.org trusts them, because they've met the criteria necessary for inclusion. (Yes, we should be running the criteria over legacy CAs.)
And we are not in a million years going to persuade users, if they've found a product they like, to leave that shop and find it somewhere else just because the CA has a slightly tarnished reputation.
Oh, then that's fine. No problem. The consumer has a choice. She sees that Verisign protects Paypal. She stays. That's at least a correct trust calculation by the interested parties,
No, it's not. It's an "I want to use Paypal" calculation.
The only way displaying the CA brand will ever have an effect is if users know enough about CAs and are wary enough of particular ones that they refuse to shop with shops protected by them. This is just not going to happen. Ever. Putting logos in the UI won't even come close to generating the amount of awareness among the general user population that you'd need.
And, when it comes down to it, users just don't care enough to take the time to acquire that level of knowledge. IE doesn't make them learn all this stuff and make all these trust estimates. Microsoft just says "Don't worry, we've taken care of it." We should be able to say the same.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
